2 An Analysis of Code red I a monthly resurgence, as seen in Figure 2. Why it con- tinues to gain strength with each monthly appearance re mains unknown The first version of the Code Red worm was initially We call this model the Random Constant Spread(RCS) seen in the wild on July 13th, 2001, according to Ryan model. The model assumes that the worm had a good [EDSOla, EDSOlb1, who disassembled the worm code random number generator that is properly seeded. We mising Microsoft IIs web servers using the ida vulner- be potentially compromised from the Interne ability discovered also by Eeye and published June 18th make the approximation that N is fixed-ignoring both [EDSolc] and was assigned CVE number CVE-2001- patching of systems during the worm spread and normal 0500cV01] deploying and removing of systems or turning on and off of systems at night. We also ignore any spread of the Once it infected a host, Code -Red spread by launching worm behind firewalls on private Intranets) 99 threads which generated random IP addresses, and K is the initial compromise rate. That is, the number then tried to compromise those IP addresses using the of vulnerable hosts which an infected host can find and same vulnerability. A hundredth thread defaced the web server in some cases compromise per hour at the start of the incident, when few other hosts are compromised. We assume that K However, the first version of the worm analyzed by a global constant, and does not depend on the processor Eeye, which came to be known as CRv1, had an apparent speed, network connection, or location of the infected ng. The random number generator was initialized with machine. (Clearly, constant k is only an approxima- a fixed seed, so that all copies of the worm in a particular tion. )We assume that a compromised machine picks thread, on all hosts, generated and attempted to compro- other machines to attack completely at random, and that mise exactly the same sequence of IP addresses. (The once a machine is compromised, it cannot be compro- thread identifier is part of the seeding, so the worm had a msed again, or that if it is, that does not increase the hundred different sequences that it explores through the rate at which it can find and attack new systems. We space of IP addresses, but it only explored those hun assume that once it is compromised, it stays that way dred.) Thus CRvI had a linear spread and never com- t is a time which fixes when the incident happens promised many machines On July 19th, 2001, a second version of the worm began We then have the following variables to spread. This was suspected informally via mailing list discussion, then confirmed by the mathematical analysi we present below, and finally definitively confirmed by a is the proportion of vulnerable machines which have been compromised disassembly of the new worm. This version came to be known as Crv2 or Code red I t is the time(in hours Code Red I v2 was the same codebase as cRyl in al most all respects--the only differences were fixing the Now, we analyze the problem by assuming that bug with the random number generation, an end to web some particular time t, a proportion of the machines site defacements, and a Ddos payload targeting the IP a have been compromised, and then asking how many addressofwww.whitehouse.gov more machines, Nda, will get compromised in the next amount of time dt. The answer is: We developed a tentative quantitative theory of what happened with the spread of Code red I worm. The new Nda=(Na)K(1-a)dt version spread very rapidly until almost all vulnerable IIS servers on the Internet were compromised. It stopped The reason is that the number of machines compromised trying to spread at midnight UtC due to an internal c in the next increment of time is proportional to the num straint in the worm that caused it to turn itself off. It then ber of machines already compromised(Na)times the reactivated on August Ist, though for a while its spread number of machines each compromised machine can was suppressed by competition with Code Red Il(see below ). However, Code Red Il died by design [SAol] server includes uis. new vulnerable machines have been added October 1. while Code red i has continued to make Internet2 An Analysis of Code Red I The first version of the Code Red worm was initially seen in the wild on July 13th, 2001, according to Ryan Permeh and Marc Maiffret of Eeye Digital Security [EDS01a, EDS01b], who disassembled the worm code and analyzed its behavior. The worm spread by compro￾mising Microsoft IIS web servers using the .ida vulner￾ability discovered also by Eeye and published June 18th [EDS01c] and was assigned CVE number CVE-2001- 0500 [CV01]. Once it infected a host, Code-Red spread by launching 99 threads which generated random IP addresses, and then tried to compromise those IP addresses using the same vulnerability. A hundredth thread defaced the web server in some cases. However, the first version of the worm analyzed by Eeye, which came to be known as CRv1, had an apparent bug. The random number generator was initialized with a fixed seed, so that all copies of the worm in a particular thread, on all hosts, generated and attempted to compro￾mise exactly the same sequence of IP addresses. (The thread identifier is part of the seeding, so the worm had a hundred different sequences that it explores through the space of IP addresses, but it only explored those hun￾dred.) Thus CRv1 had a linear spread and never com￾promised many machines. On July 19th, 2001, a second version of the worm began to spread. This was suspected informally via mailing list discussion, then confirmed by the mathematical analysis we present below, and finally definitively confirmed by disassembly of the new worm. This version came to be known as CRv2, or Code Red I. Code Red I v2 was the same codebase as CRv1 in al￾most all respects—the only differences were fixing the bug with the random number generation, an end to web site defacements, and a DDOS payload targeting the IP address of www.whitehouse.gov. We developed a tentative quantitative theory of what happened with the spread of Code Red I worm. The new version spread very rapidly until almost all vulnerable IIS servers on the Internet were compromised. It stopped trying to spread at midnight UTC due to an internal con￾straint in the worm that caused it to turn itself off. It then reactivated on August 1st, though for a while its spread was suppressed by competition with Code Red II (see below). However, Code Red II died by design [SA01] on October 1, while Code Red I has continued to make a monthly resurgence, as seen in Figure 2. Why it con￾tinues to gain strength with each monthly appearance re￾mains unknown.3 We call this model the Random Constant Spread (RCS) model. The model assumes that the worm had a good random number generator that is properly seeded. We define N as the total number of vulnerable servers which can be potentially compromised from the Internet. (We make the approximation that N is fixed—ignoring both patching of systems during the worm spread and normal deploying and removing of systems or turning on and off of systems at night. We also ignore any spread of the worm behind firewalls on private Intranets). K is the initial compromise rate. That is, the number of vulnerable hosts which an infected host can find and compromise per hour at the start of the incident, when few other hosts are compromised. We assume that K is a global constant, and does not depend on the processor speed, network connection, or location of the infected machine. (Clearly, constant K is only an approxima￾tion.) We assume that a compromised machine picks other machines to attack completely at random, and that once a machine is compromised, it cannot be compro￾mised again, or that if it is, that does not increase the rate at which it can find and attack new systems. We assume that once it is compromised, it stays that way. T is a time which fixes when the incident happens. We then have the following variables: • a is the proportion of vulnerable machines which have been compromised. • t is the time (in hours). Now, we analyze the problem by assuming that at some particular time t, a proportion of the machines a have been compromised, and then asking how many more machines, N da, will get compromised in the next amount of time dt. The answer is: N da = (N a)K(1 − a)dt. (1) The reason is that the number of machines compromised in the next increment of time is proportional to the num￾ber of machines already compromised (N a) times the number of machines each compromised machine can 3One possibility is that, since the default install of Windows 2000 server includes IIS, new vulnerable machines have been added to the Internet