1. Warhol Worm: a fast spreading worm, but not as fast as a Flash Worm
  2. Flash Worm: a super fast infecting worm
  3. Stealth Worm: they spread more slowly but are much harder to detect

Each worm is optimized to do a certain thing.


Hit List Scanning: a hit list is built before the worm is launched that targets vulnerable hosts. The goal is to velocitize the initial attack so that there isn’t much time to create to defend. 


1. Hit List and Permutation Scan 

To generate a hit list the following can be done:


  1. Stealthy Scans: dribble portscans over a period of time to avoid suspicion
  2. Distributed Scanning: the attacker leverages compromised hosts to do the scanning for them
  3. DNS searches: trawling through DNS records to identify mail servers and web servers
  4. Spiders: create a spider that does what search engines do, except you’re searching for Internet connected sites instead
  5. Public surveys: there may already be services out there listing what ports a host listens to such as Netcraft/other surveys
  6. Listen: peer-to-peer apps advertise their services

Localized Scanning: a worm will attempt to infect IP addresses closest to its resident host (this is what Code Red II used).

The worm was also a single-stage scanning worm that chose random IP addresses and attempted to infect them. However, it used a localized scanning strategy, where it was differentially likely to attempt to infect addresses close to it. Specifically, with probability 3/8 it chose a random IP address from within the class B address space (/16 network) of the infected machine. With probability 1/2 it chose randomly from its own class A (/8 network). Finally, with probability 1/8 it would choose a random address from the whole Internet. Source Here

Multi Vector: a multi vector attack uses multiple channels to launch itself and increases probability of spreading. Many security appliances allow mail to pass through, relying on whatever ’email security gateway’ service the organizations has acquired (this is what NIMDA used).

  1. Infecting web servers
  2. Bulk emailing itself as an attachment
  3. Copying itself across network shares
  4. Adding exploit code to a web page on compromised servers in order to infect clients which browse the page
  5. By scanning backdoors left by other worms

Permutation Scanning: permutation scanning improves over random IP targeting by allocating a block of IP addresses per worm. This way the worms become efficient at targeting their hosts and resist duplicating effort. Partitioned Permutation Scan: the permutation range is divided into half upon infection – giving the other half to the infected hosts.


2. Permutation IP Database


Topological Scanning: scans the infected host for information. It may have email addresses or IP addresses and names of other servers. In fact if you combine this with the topology table from the router’s L3 routing tables then the worm can get a powerful picture of the topology.


Application: behavioral based AV such as Advanced Threat Protection software. Utilize a secure coding methodology. 

Network: IDS, firewalls, network segmentation. Read  Cisco’s Worm Mitigation paper which has configuration commands for routers.

More Reading