Finally, with probability 1/8 it would choose a random address from the whole Internet 200000 This strategy appears quite successful. The localized 150.000 preading allows the worm to quickly infect parts of the Internet that contain many vulnerable hosts, and also 100000 means that the infection often proceeds quicker since hosts with similar Ip addresses are often close together in the network topology also. This strategy also allows a 0邮 02468101214161820 once it manages to pass through the external firewal Hour of the day Unfortunately, developing an analytic model for the # of scans一暑 Predicted群 of scans spread of a worm employing this type of localized scan- ning strategy is significantly more difficult than the mod eling effort in Section 2, because it requires incorpo- igure 4: Hourly probe rate data for inbound port 80 at the rating potentially highly non-homogeneous patterns of Chemical Abstracts Service, for Code Red Is reemergence on population locality. The empirical data is also harder August Ist. The x-axis the time of day on August Ist( Central to interpret, because Code Red I was quite active when US Time). The y-axis shows the monitored probe rate and a it Code Red ll was released. Indeed, it appears that Code for the data discussed in the text Red Il took a while to overcome Code Red I(see Fig ure 1), but fully determining the interplay between the 3“ Better” worms-practice two appears to be a significant undertaking In this section, we explore the strategies adopted by the 3.2 Multi-vector worms-Nimda two major worms released subsequent to Code Red I “ Code red ir and“ Nimda As well illustrated by the Nimda worm/virus(and, in- deed, the original Internet Worm[Sp89, ER89), malev 3.1 Localized scanning-Code Red ll olent code is not restricted to a single technique. Nimda began on September 18th, 2001, spre ead ve and maintained itself on the internet for months after it The Code Red II worm was released on Saturday August started. Nimda spread extensively behind firewalls, and 4th, 2001 and spread rapidly [CEO1, SA01. The worm illustrates the ferocity and wide reach that a multi-mode code contained a comment stating that it was"Co worm can exhibit. The worm is thought to have used at Red Il"but it was an unrelated code base. It did use the least five different methods to spread itself. same vulnerability, however-a buffer overflow in Mi- crosoft's Iis Web server with Cve number CVE-2001 0500. When successful, the payload installed a root By infecting Web servers from infected client ma- backdoor allowing unrestricted remote access to the in- chines via active probing for a Microsoft Iis vul- fected host. The worm exploit only worked correctly nerability(CVE-2000-0884) when IIs was running on Microsoft Windows 2000; on Windows NT it caused a system crash rather than an By bulk emailing of itself as an attachment based on email addresses determined from the infected The worm was also a single-stage scanning worm that By copying itself across open network shares chose random IP addresses and attempted to infect them However, it used a localized scanning strategy, where it By adding exploit code to Web pages on com was differentially likely to attempt to infect addresses promised servers in order to infect clients which close to it. Specifically, with probability 3 8 it chose a random IP address from within the class B address space (16 network) of the infected machine. With probability By scanning for the backdoors nd by code 1/2 it chose randomly from its own class A(/8 network) Red ii and also the“ sadmind”0 50,000 100,000 150,000 200,000 250,000 0 2 4 6 8 10 12 14 16 18 20 Hour of the day Number seen in an hour # of scans Predicted # of scans Figure 4: Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service, for Code Red I’s reemergence on August 1st. The x-axis the time of day on August 1st (Central US Time). The y-axis shows the monitored probe rate and a fit for the data discussed in the text. 3 “Better” worms—practice In this section, we explore the strategies adopted by the two major worms released subsequent to Code Red I: “Code Red II” and “Nimda.” 3.1 Localized scanning—Code Red II The Code Red II worm was released on Saturday August 4th, 2001 and spread rapidly [CE01, SA01]. The worm code contained a comment stating that it was “Code Red II,” but it was an unrelated code base. It did use the same vulnerability, however—a buffer overflow in Mi￾crosoft’s IIS Web server with CVE number CVE-2001- 0500. When successful, the payload installed a root backdoor allowing unrestricted remote access to the in￾fected host. The worm exploit only worked correctly when IIS was running on Microsoft Windows 2000; on Windows NT it caused a system crash rather than an in￾fection. The worm was also a single-stage scanning worm that chose random IP addresses and attempted to infect them. However, it used a localized scanning strategy, where it was differentially likely to attempt to infect addresses close to it. Specifically, with probability 3/8 it chose a random IP address from within the class B address space (/16 network) of the infected machine. With probability 1/2 it chose randomly from its own class A (/8 network). Finally, with probability 1/8 it would choose a random address from the whole Internet. This strategy appears quite successful. The localized spreading allows the worm to quickly infect parts of the Internet that contain many vulnerable hosts, and also means that the infection often proceeds quicker since hosts with similar IP addresses are often close together in the network topology also. This strategy also allows a worm to spread very rapidly within an internal network once it manages to pass through the external firewall. Unfortunately, developing an analytic model for the spread of a worm employing this type of localized scan￾ning strategy is significantly more difficult than the mod￾eling effort in Section 2, because it requires incorpo￾rating potentially highly non-homogeneous patterns of population locality. The empirical data is also harder to interpret, because Code Red I was quite active when Code Red II was released. Indeed, it appears that Code Red II took a while to overcome Code Red I (see Fig￾ure 1), but fully determining the interplay between the two appears to be a significant undertaking. 3.2 Multi-vector worms—Nimda As well illustrated by the Nimda worm/virus (and, in￾deed, the original Internet Worm [Sp89, ER89]), malev￾olent code is not restricted to a single technique. Nimda began on September 18th, 2001, spread very rapidly, and maintained itself on the Internet for months after it started. Nimda spread extensively behind firewalls, and illustrates the ferocity and wide reach that a multi-mode worm can exhibit. The worm is thought to have used at least five different methods to spread itself. • By infecting Web servers from infected client ma￾chines via active probing for a Microsoft IIS vul￾nerability (CVE-2000-0884). • By bulk emailing of itself as an attachment based on email addresses determined from the infected machine. • By copying itself across open network shares • By adding exploit code to Web pages on com￾promised servers in order to infect clients which browse the page. • By scanning for the backdoors left behind by Code Red II and also the “sadmind” worm [CE03]