Code Red I v2 Code Red ll Code Red ll 88-88。 Nimda Days since地y182001 Days Since Sept 20, 2001 Figure 1: Onset of Code Red I v2, Code Red Il, and Nimda: Figure 2: The endemic nature of Internet worms: Number Number of remote hosts launching confirmed attacks corre- of remote hosts launching confirmed attacks corresponding to sponding to different worms, as seen at the Lawrence berkeley different worms, as seen at the Lawrence berkeley National National Laboratory. Hosts are detected by the distinct URLs Laboratory, over several months since their onset. Since July, they attempt to retrieve, corresponding to the lIs exploits and 139, 000 different remote Code Red I hosts have been con- attack strings. Since Nimda spreads by multiple vectors, firmed attacking LBNL, 125,000 different Code Red ll hosts counts shown for it may be an underestimate and 63.000 Nimda hosts. Of these. 20. 000 were observed to be infected with two different worms, and 1, 000 with all three worms(Again, Nimda is potentially an underestimate because ternet has become part of a nation's critical infrastruc- we are only counting those launching Web attacks. ture, and (ii) the recent, widely publicized introduction of very very rapidly spreading Internet worms, such that this technique is likely to be particularly cur- surreptitious worms. These spread more slowly, but in a ent in the ds of attackers much harder to detect"contagion"fashion, masquerad- ing as normal traffic. We demonstrate that such a worm We present an analysis of the magnitude of the threat today could arguably subvert upwards of 10,000,000 In- We begin with a mathematical model derived from em- ternet host pirical data of the spread of Code Red I v2 in July and August, 2001(Section 2). We then discuss techniques Then in Section 6, we discuss some possibilities employed for achieving greater effectiveness and viru- by which an attacker could control the worm using lence by the subsequent Code Red II and Nimda worms cryptographically-secured updates, enabling it to remain (Section 3). Figures 1 and 2 show the onset and progress a threat for a considerable period of time. Even when of the Code red and Nimda worms as seen "in the wild" most traces of the worm have been removed from the network, such an"updatable worm st emains a SIg- In this context, we develop the threat of three new nificant threat techniques for highly virulent worms: hit-list scanning, Having demonstrated the very serious permutation scanning, and Internet scale hit-lists(Sec of the tion 4). Hit-list scanning is a technique for accelerat- threat, we then in Section 7 discuss an ious but we believe highly necessary strategy for addressing it ing the initial spread of a worm. Permutation scanning the establishment at a national or international level is a mechanism for distributed coordination of a worm of a"Center for Disease Control" analog for virus Combining these two techniques creates the possibility and worm-based threats to cybersecurity. We discuss of a Warhol worm, 2 seemingly capable of infecting most the roles we envision such a Center serving, and offer or all vulnerable targets in a few minutes to perhaps an thoughts on the sort of resources and structure the Cen- hour. An extension of the hit-list technique creates flash worm, which appears capable of infecting the vul- ter would require in order to do so. Our aim is not to nerable population in 10s of seconds: so fast that no comprehensively examine each role, but to spur further human-Imediated counter-response is possible discussion of the issues within the community We then turn in Section 5 to the threat of a new class of 2So named for the quotation"In minutes of fame0 20 40 60 80 0 5000 10000 20000 Days Since July 18, 2001 Distinct Remote Hosts Attacking LBNL Jul 19 Aug 1 Sep 1 Sep 19 Oct 1 Code Red I v2 Code Red II Nimda Figure 1: Onset of Code Red I v2, Code Red II, and Nimda: Number of remote hosts launching confirmed attacks corre￾sponding to different worms, as seen at the Lawrence Berkeley National Laboratory. Hosts are detected by the distinct URLs they attempt to retrieve, corresponding to the IIS exploits and attack strings. Since Nimda spreads by multiple vectors, the counts shown for it may be an underestimate. ternet has become part of a nation’s critical infrastruc￾ture, and (ii) the recent, widely publicized introduction of very large, very rapidly spreading Internet worms, such that this technique is likely to be particularly cur￾rent in the minds of attackers. We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from em￾pirical data of the spread of Code Red I v2 in July and August, 2001 (Section 2). We then discuss techniques employed for achieving greater effectiveness and viru￾lence by the subsequent Code Red II and Nimda worms (Section 3). Figures 1 and 2 show the onset and progress of the Code Red and Nimda worms as seen “in the wild.” In this context, we develop the threat of three new techniques for highly virulent worms: hit-list scanning, permutation scanning, and Internet scale hit-lists (Sec￾tion 4). Hit-list scanning is a technique for accelerat￾ing the initial spread of a worm. Permutation scanning is a mechanism for distributed coordination of a worm. Combining these two techniques creates the possibility of a Warhol worm,2 seemingly capable of infecting most or all vulnerable targets in a few minutes to perhaps an hour. An extension of the hit-list technique creates a flash worm, which appears capable of infecting the vul￾nerable population in 10s of seconds: so fast that no human-mediated counter-response is possible. We then turn in Section 5 to the threat of a new class of 2So named for the quotation “In the future, everyone will have 15 minutes of fame.” 0 50 100 150 0 500 1000 1500 2000 Days Since Sept. 20, 2001 Distinct Remote Hosts Attacking LBNL Oct 1 Oct 15 Nov 1 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Nimda Code Red I v2 Code Red II Figure 2: The endemic nature of Internet worms: Number of remote hosts launching confirmed attacks corresponding to different worms, as seen at the Lawrence Berkeley National Laboratory, over several months since their onset. Since July, 139,000 different remote Code Red I hosts have been con- firmed attacking LBNL; 125,000 different Code Red II hosts; and 63,000 Nimda hosts. Of these, 20,000 were observed to be infected with two different worms, and 1,000 with all three worms. (Again, Nimda is potentially an underestimate because we are only counting those launching Web attacks.) surreptitious worms. These spread more slowly, but in a much harder to detect “contagion” fashion, masquerad￾ing as normal traffic. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 In￾ternet hosts. Then in Section 6, we discuss some possibilities by which an attacker could control the worm using cryptographically-secured updates, enabling it to remain a threat for a considerable period of time. Even when most traces of the worm have been removed from the network, such an “updatable” worm still remains a sig￾nificant threat. Having demonstrated the very serious nature of the threat, we then in Section 7 discuss an ambitious but we believe highly necessary strategy for addressing it: the establishment at a national or international level of a “Center for Disease Control” analog for virus￾and worm-based threats to cybersecurity. We discuss the roles we envision such a Center serving, and offer thoughts on the sort of resources and structure the Cen￾ter would require in order to do so. Our aim is not to comprehensively examine each role, but to spur further discussion of the issues within the community