300000 200.000 100000 Time(minutes Time(hours) nfected Machines Active worms Figure 7: The spread of three simulated worms in a popu- Figure 8: A closeup of the behavior of the Warhol worm tion of 300,000 vulnerable machines: (i a Code Red-like seen in Figure 7. The infection initially progresses rapidly worm capable of 10 scans/second, (ii) a faster scanning worm effectively all worms are actively scanning the net -but as in- capable of 100 scans/second, and (iii)a Warhol worm, capable fection rates near 100%, many worms have gone dormant, cor- of 100 scans/second, using a 10,000 entry hit-list and permu- rectly concluding that there are few vulnerable machines I tation scanning which gives up when 2 infected machines are maining and should therefore cease scanning discovered without finding a new target. All graphs stop at 99.99% infection of the simulated addres 15 minutes set of vulnerable machines. We used a 32-bit, 6-round Figure 8 shows in more detail the behavior of the Warhol ariant of RC5 to generate all permutations and random strategies. It gets a huge boost from the hit-list during the numbers first few seconds of propagation, quickly establishing it- self on the network and then spreading exponentially. As We can parameterize the simulation in terms of: the the infection exceeds the 50 number of vulnerable machines in the address space, begin recognizing that saturation is occurring and stop scans per second; the time to infect a machine, num- scanning. By the time the graph ends(at 99.99% of ber infected during the hit-list phase; and the type of the simulated population), most of the worms have gone secondary scan(permutation, partitioned permutation, silent, leaving a few remaining worms to finish scannin or random). The simulator assumes multithreaded scan- the last of the address spac To ensure that the simulator produces reasonable re- 4.4 Topological Scanning sults, Figure 6 shows a comparison between the simu lator's output and the model developed in Section 2, for a worm capable of 10 scans/second in a population of An alternative to hit-list scanning is topologically aware 300.000 vulnerable machines. The simulation results fit canning. which uses information contained on the vic- the model for K= 2.6 and T=5.52. This represents a tim machine in order to select new targets. Email worms worm which is slightly faster(less than 50%)than Code Red I ave used this tactic since their inception, as they harvest addresses from their victim in order to find new poten tial targets, as did the Morris worm(necessary because Figure 7 then shows how both faster scanning and the of the very sparse address space when was released) Warhol strategies affect the propagation time. The faster scanning worm(capable of 100 scans/second)reduces the infection time down to under an hour, while the com- Many future active worms could easily apply these tech- bination of hit-list scanning, permutation scanning, and niques during the initial spread, before switching to fast scanning, further reduces infection time to roughly a permutation scan once the known neighbors are ex hausted. An active worm local scanning. to-peer application could easily get a list of peers from0 100,000 200,000 300,000 0 1 2 3 4 6 7 8 Time (hours) Number of Instances Conventional Fast Scanning Warhol Figure 7: The spread of three simulated worms in a popu￾lation of 300,000 vulnerable machines: (i) a Code Red-like worm capable of 10 scans/second, (ii) a faster scanning worm capable of 100 scans/second, and (iii) a Warhol worm, capable of 100 scans/second, using a 10,000 entry hit-list and permu￾tation scanning which gives up when 2 infected machines are discovered without finding a new target. All graphs stop at 99.99% infection of the simulated address space. set of vulnerable machines. We used a 32-bit, 6-round variant of RC5 to generate all permutations and random numbers. We can parameterize the simulation in terms of: the number of vulnerable machines in the address space; scans per second; the time to infect a machine; num￾ber infected during the hit-list phase; and the type of secondary scan (permutation, partitioned permutation, or random). The simulator assumes multithreaded scan￾ning. To ensure that the simulator produces reasonable re￾sults, Figure 6 shows a comparison between the simu￾lator’s output and the model developed in Section 2, for a worm capable of 10 scans/second in a population of 300,000 vulnerable machines. The simulation results fit the model for K = 2.6 and T = 5.52. This represents a worm which is slightly faster (less than 50%) than Code Red I. Figure 7 then shows how both faster scanning and the Warhol strategies affect the propagation time. The faster scanning worm (capable of 100 scans/second) reduces the infection time down to under an hour, while the com￾bination of hit-list scanning, permutation scanning, and fast scanning, further reduces infection time to roughly network, it is usually not reachable directly by a worm except through local scanning. 0 100,000 200,000 300,000 0 2 4 6 8 10 12 14 16 Time (minutes) Infected Machines Infected Machines Active Worms Dormant Worms Figure 8: A closeup of the behavior of the Warhol worm seen in Figure 7. The infection initially progresses rapidly— effectively all worms are actively scanning the net—but as in￾fection rates near 100%, many worms have gone dormant, cor￾rectly concluding that there are few vulnerable machines re￾maining and should therefore cease scanning. 15 minutes. Figure 8 shows in more detail the behavior of the Warhol strategies. It gets a huge boost from the hit-list during the first few seconds of propagation, quickly establishing it￾self on the network and then spreading exponentially. As the infection exceeds the 50% point, some of the worms begin recognizing that saturation is occurring and stop scanning. By the time the graph ends (at 99.99% of the simulated population), most of the worms have gone silent, leaving a few remaining worms to finish scanning the last of the address space. 4.4 Topological Scanning An alternative to hit-list scanning is topologically aware scanning, which uses information contained on the vic￾tim machine in order to select new targets. Email worms have used this tactic since their inception, as they harvest addresses from their victim in order to find new poten￾tial targets, as did the Morris worm (necessary because of the very sparse address space when it was released) [Sp89, ER89]. Many future active worms could easily apply these tech￾niques during the initial spread, before switching to a permutation scan once the known neighbors are ex￾hausted. An active worm that attacked a flaw in a peer￾to-peer application could easily get a list of peers from