Onset of nimda ing, if it receives the right trigger, or a prearranged time rolls around. We return to this point in Section 7 4“ Better” worms-theor g 8 There are several techniques which, although not yet em- ployed, could further significantly increase the virulence of a worm. Beyond the obvious factors of discover- ing more widespread security holes and increasing the canning rate, some additional strategies a worm author could employ are:() hit-list scanning, (ii)permutation scanning,(iii)topologically aware worms, and (iv)In- ternet scale hit-lists. The goal is very rapid infection-in particular, considerably faster than any possible human- 06.5 A worm's scanner can obviously be made significantly Time(PDt)18 September, 2001 faster than the ones seen today by careful use of thread- ing and an understanding of the protocols. By having Figure 5: Http connections per second seen at the many requests outstanding a worm should be capable Lawrence Berkeley National Laboratory rising due to the on- of scanning targets at a rate proportional to its access set of Nimda, September 18 bandwidth. Since it only takes 40 bytes for a TCP SYN packet to determine if a service is accessible, and often only a few hundred bytes to attempt an exploit, the po- Figure 5 illustrates how rapidly the worm tried to in- tential scans per second can easily exceed 100 for even fect one site, the Lawrence Berkeley National Labora- poor Internet connections. This increases K by allow- tory. The T-axis plots hours past midnight, PDT, while ing a worm to search for a greater number of targets in a the y-axis plots Http connection attempts per second given period of time Only connections from hosts confirmed to have harbored Nimda are counted, to avoid possible confusion with Similarly, the more widespread the vulnerable software concurrent Code Red connection attempts. After the on- is, the faster a worm using that vulnerability can sprea set of the infection, the total rate of probing was about because each random scan of the network is more likely 3 times that from the hosts subsequently confirmed to to pick up a target, also increasing K. We should there- harbor nimda fore expect that worm authors will devote considerable scrutiny to highly homogeneous, highly deployed ser Clearly, onset was quite rapid, rising in just half an hour vices, both for the faster spreading and for the greater from essentially no probing to a sustained rate of nearly number of machines that could be compromised in a sin- 100 probes/sec There is an additional synergy in Nimda's use of mul- tiple infection vectors: many firewalls allow mail to 4.1 Hit-list Scanning pass untouched, relying on the mail servers to re- move pathogens. Yet since many mail servers remove pathogens based on signatures, they arent effective dur- One of the biggest problems a worm faces in achieving ing the first few minutes to hours of an outbreak, giving a very rapid rate of infection is"getting off the ground Nimda a reasonably effective means of crossing firewalls Although a worm spreads exponentially during the early to invade internal networks stages of infection, the time needed to infect say the first 10.000 hosts dominates the infection time. as can be seen Finally, we note that Nimda's full functionality is still in Figure 3 not known: all that is known is how it spreads, but not what it might be capable of doing in addition to spre There is a simple way for an active worm to overcomeOnset of NIMDA Time (PDT) 18 September, 2001 C onn / Sec 6.0 6.5 7.0 7.5 8.0 0 20 4 0 6 0 80 10 0 120 14 0 C o n n e ctio ns/S e c o n d Figure 5: HTTP connections per second seen at the Lawrence Berkeley National Laboratory, rising due to the on￾set of Nimda, September 18. Figure 5 illustrates how rapidly the worm tried to in￾fect one site, the Lawrence Berkeley National Labora￾tory. The x-axis plots hours past midnight, PDT, while the y-axis plots HTTP connection attempts per second. Only connections from hosts confirmed to have harbored Nimda are counted, to avoid possible confusion with concurrent Code Red connection attempts. After the on￾set of the infection, the total rate of probing was about 3 times that from the hosts subsequently confirmed to harbor Nimda. Clearly, onset was quite rapid, rising in just half an hour from essentially no probing to a sustained rate of nearly 100 probes/sec. There is an additional synergy in Nimda’s use of mul￾tiple infection vectors: many firewalls allow mail to pass untouched, relying on the mail servers to re￾move pathogens. Yet since many mail servers remove pathogens based on signatures, they aren’t effective dur￾ing the first few minutes to hours of an outbreak, giving Nimda a reasonably effective means of crossing firewalls to invade internal networks. Finally, we note that Nimda’s full functionality is still not known: all that is known is how it spreads, but not what it might be capable of doing in addition to spread￾ing, if it receives the right trigger, or a prearranged time rolls around. We return to this point in Section 7. 4 “Better” worms—theory There are several techniques which, although not yet em￾ployed, could further significantly increase the virulence of a worm. Beyond the obvious factors of discover￾ing more widespread security holes and increasing the scanning rate, some additional strategies a worm author could employ are: (i) hit-list scanning, (ii) permutation scanning, (iii) topologically aware worms, and (iv) In￾ternet scale hit-lists. The goal is very rapid infection—in particular, considerably faster than any possible human￾mediated response. A worm’s scanner can obviously be made significantly faster than the ones seen today, by careful use of thread￾ing and an understanding of the protocols. By having many requests outstanding, a worm should be capable of scanning targets at a rate proportional to its access bandwidth. Since it only takes 40 bytes for a TCP SYN packet to determine if a service is accessible, and often only a few hundred bytes to attempt an exploit, the po￾tential scans per second can easily exceed 100 for even poor Internet connections. This increases K by allow￾ing a worm to search for a greater number of targets in a given period of time. Similarly, the more widespread the vulnerable software is, the faster a worm using that vulnerability can spread, because each random scan of the network is more likely to pick up a target, also increasing K. We should there￾fore expect that worm authors will devote considerable scrutiny to highly homogeneous, highly deployed ser￾vices, both for the faster spreading and for the greater number of machines that could be compromised in a sin￾gle attack. 4.1 Hit-list Scanning One of the biggest problems a worm faces in achieving a very rapid rate of infection is “getting off the ground.” Although a worm spreads exponentially during the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time, as can be seen in Figure 3. There is a simple way for an active worm to overcome