nected to only one or two local hosts, for those con- 6.1 Distributed Control necting to three or more hosts, the fit to a Pareto dis- tribution(with shape parameter a= 2.1)is compelling That the degree has such a distribution is then strongly In a distributed-control worm. each worm has a list of uggestive that the underlying KazaA network may ex- other known, running copies of the worm and an ability hibit a scale-free(or Zipf-like)topology. The propaga- to create encrypted communication channels to spread tion of contagion through such networks has recently information. Any new command issued to the worms been studied [PVo1]. While the discussion in that ar- has a unique identifier and is cryptographically signed ticle is fiawed-it confounds the Internets underlying using an author's key. Once a worm has a copy of the IP topology with email and Web application topology- command, the command is first verified by examining the general framework the authors develop gives hope the cryptographic signature, spread to every other known that we can leverage it to better understand the behav- instance of the worm. and then executed. This allows ior of a KazaA contagion worm. That said, we add that any command to be initially sent to an arbitrary worm the degree of the local hosts is clearly not Pareto, so the instance, where it is then quickly spread to all running analysis might not in fact apply copies The key to such a network is the degree of connectivity maintained, in order to overcome infected hosts being removed from the network, and to hasten the spread of new commands. Although it is clear that a worm could 6 Updates and control spread information to its neighbors about other worm in stances in order to create a more connected, highly re- gree of connectivity without these additional steps dundant network. it is useful to estimate the initial de The last facet of worm design we examine concerns If each worm node only knows about other nodes it has mechanisms by which the attacker can control and mod- probed, infected, or been probed by, the average con- ify a worm after its dissemination. The ease and re- nectivity is still very high. With IM hosts, using permu- saliency with which an attacker can do so has serious tation scanning(with no halting), our simulator shows consequences for both how the threat of a deployed that the average degree of nodes in the worm network worm can evolve, and the potential difficulty in detect- is 4 when 95% infection is achieved, and 5.5 when 99% ing the worms presence and operation after the initia infection is achie onally, each permu infection based rescan will add 2 to the degree of every worm, rep resenting the copy discovered by each instance, and the Some previous worms such as the Goner mail worm copy which discovers each instance. Thus, after a couple [CE02]contained primitive remote control code, similar of rescans, the connectivity becomes very high without to many common"zombies"?, allowing the authors and requiring additional communication between the worm others to issue commands to a distributed DOS mod- Instances ule through an IRC [OR93] channel. (Indeed, the root backdoor installed by Code Red II also offered a form Such a network could be used to quickly pass updates to of unlimited remote control. Others worms have at- all running copies, without having a single point of com- tempted to download updates and payloads from web munication like that seen in previous worms, increas- pages, such as W32/sonic [Sy00 Both of these mech- ing the staying power by preventing the communica- anisms,when employed, were quickly countered by tion channel from being disrupted or co-opted by others moving the pages and tracking the channels. Similarly, while still allowing the author to control their creation in previously seen DDOS tools such as Stacheldraht[Di99 a difficult-to-track manner. have included both encrypted communication and up- date mechanisms for directly controlling the zombies 6.2 Programatic Updates Here we briefly explore a more sophisticated method-direct worm-to-worm communication and programmable updateswhich, while not yet observed The commands to a worm can of course be arbitrary in the wild, is a natural evolution based on the previous code. Many operating systems already support conve- updatable worms and ddos tools nient dynamic code loading, which could be readily em-nected to only one or two local hosts, for those con￾necting to three or more hosts, the fit to a Pareto dis￾tribution (with shape parameter α = 2.1) is compelling. That the degree has such a distribution is then strongly suggestive that the underlying KaZaA network may ex￾hibit a scale-free (or Zipf-like) topology. The propaga￾tion of contagion through such networks has recently been studied [PV01]. While the discussion in that ar￾ticle is flawed—it confounds the Internet’s underlying IP topology with email and Web application topology— the general framework the authors develop gives hope that we can leverage it to better understand the behav￾ior of a KaZaA contagion worm. That said, we add that the degree of the local hosts is clearly not Pareto, so the analysis might not in fact apply. 6 Updates and Control The last facet of worm design we examine concerns mechanisms by which the attacker can control and mod￾ify a worm after its dissemination. The ease and re￾siliency with which an attacker can do so has serious consequences for both how the threat of a deployed worm can evolve, and the potential difficulty in detect￾ing the worm’s presence and operation after the initial infection. Some previous worms such as the Goner mail worm [CE02] contained primitive remote control code, similar to many common “zombies”, allowing the authors and others to issue commands to a distributed DOS mod￾ule through an IRC [OR93] channel. (Indeed, the root backdoor installed by Code Red II also offered a form of unlimited remote control.) Others worms have at￾tempted to download updates and payloads from web pages, such as W32/sonic [Sy00]. Both of these mech￾anisms, when employed, were quickly countered by re￾moving the pages and tracking the channels. Similarly, previously seen DDOS tools such as Stacheldraht [Di99] have included both encrypted communication and up￾date mechanisms for directly controlling the zombies. Here we briefly explore a more sophisticated method—direct worm-to-worm communication and programmable updates—which, while not yet observed in the wild, is a natural evolution based on the previous updatable worms and DDOS tools. 6.1 Distributed Control In a distributed-control worm, each worm has a list of other known, running copies of the worm and an ability to create encrypted communication channels to spread information. Any new command issued to the worms has a unique identifier and is cryptographically signed using an author’s key. Once a worm has a copy of the command, the command is first verified by examining the cryptographic signature, spread to every other known instance of the worm, and then executed. This allows any command to be initially sent to an arbitrary worm instance, where it is then quickly spread to all running copies. The key to such a network is the degree of connectivity maintained, in order to overcome infected hosts being removed from the network, and to hasten the spread of new commands. Although it is clear that a worm could spread information to its neighbors about other worm in￾stances in order to create a more connected, highly re￾dundant network, it is useful to estimate the initial de￾gree of connectivity without these additional steps. If each worm node only knows about other nodes it has probed, infected, or been probed by, the average con￾nectivity is still very high. With 1M hosts, using permu￾tation scanning (with no halting), our simulator shows that the average degree of nodes in the worm network is 4 when 95% infection is achieved, and 5.5 when 99% infection is achieved. Additionally, each permutation￾based rescan will add 2 to the degree of every worm, rep￾resenting the copy discovered by each instance, and the copy which discovers each instance. Thus, after a couple of rescans, the connectivity becomes very high without requiring additional communication between the worm instances. Such a network could be used to quickly pass updates to all running copies, without having a single point of com￾munication like that seen in previous worms, increas￾ing the staying power by preventing the communica￾tion channel from being disrupted or co-opted by others, while still allowing the author to control their creation in a difficult-to-track manner. 6.2 Programatic Updates The commands to a worm can of course be arbitrary code. Many operating systems already support conve￾nient dynamic code loading, which could be readily em-