The Propagation Model and Analysis of Worms
Together with Anti-worms
BAI-LING WANG1, XIAO-CHUN YUN, BIN-XING FANG
Research Center of Computer Network and Information Security Technology
Harbin Institute of Technology, Harbin 150001
CHINA
Abstract: There are some known anti-worms used to kill worms and recover the infected machines,
but they always aggravate the epidemic situation on the contrary due to the absence of theoretical model
and the corresponding experiments. This paper describes an action-based taxonomy of Internet worm.
By the taxonomy, we propose an all-purpose propagation model on worms together with anti-worms,
and then we simulate and analyze the propagation of worm MSBlaster together with Welchia as a case
study. At last, a fast anti-worm with low traffic load is proposed to make comparison with Welchia to
contain MSBlaster. This paper leads to a better understanding and prediction of the scale and speed of
Internet worm together with its anti-worm spreading.
Key-Words: Computer Security; action-based taxonomy; friendly worm; Worm propagation model;
1
developed against worm CodeRed, but both of
them were not released to Internet.
Introduction
Worm propagates through network, and attacks
the vulnerability, which exists in much extensively
used software, to exhaust the network resource.
Since the first worm created in 1988 [１], the
security threat posed by worms has steadily
increased, especially in the last three years. The
Code Red worm and Nimda worm incidents of 2001
have shown us how vulnerable our networks are and
how fast a worm can spread.
The reason for internet worm to be hard to
control is that Internet is so open, complex and
immense that causes us having no way to know or
control all the hosts connected to internet. The
worms will stay in the hosts and attack other hosts
for a long period if the uncontrolled hosts are
infected with worms. So the key to control the
Internet worm is to find the solution to recovering
those uncontrolled hosts.
Recently, some people begin to study the active
countermeasure with anti-worm, which can be
posted to the remote hosts to recover them actively.
The typical examples are as follows:
·2001, worm Cheese was released to Internet
against worm LiOn .
·2001, worm CodeGreen and CRClean were
·2003, worm Welchia was released to Internet
against worm MSBlaster.
But the result is not very prefect. Especially,
Welchia has caused a mass of loss and high impact
on Internet. There is no successful and influential
case on worm countermeasure until now due to the
absence of theoretical model and the corresponding
experiments.
2
Related Work
The firstly well-known Internet worm was
Morris that self-propagated across a network by
exploiting security vulnerabilities in host software.
Morris is the modern archetype for contemporary
Internet worms, and it has infected several thousand
hosts and disrupted Internet-wide communication
due to its high growth rate [２].
Research on Internet worm became really hot
after worm code-red was released. D.J. Daley and J.
Gani. Provide a simple epidemic model, which
assumes that each host stays in one of two states:
susceptible or infectious. The model further assumes
that once a worm infects a host, the host will stay in
the infectious state forever. Thus a host can only
have one possible state transition: “susceptible 
infectious” [３]. J. C. Frauenthal’s K-M epidemic
model considers the removal process of infectious
hosts [４]. It assumes that during the epidemic
situation some infectious hosts either recover or die.
Once a host dies or recovers from the disease, it will
be immune to the disease forever. Z. Chen presents a
mathematical model, referred to as the Analytical
Active Worm Propagation (AAWP) model, which
characterizes the propagation of worms that employ
random scanning [５]. Moore and Shannon have
also published an empirical analysis of Code-Red’s
growth, repair, and geography based on observed
probes [６] to a dedicated class A network. Song et
al. reproduced parts of this study and further
distinguished between different simultaneously
active worms [７].
None of the research has considered the two or
more worms’ propagation together, such as worm
LiOn together with cheese and worm MSBlaster
together with Welchia. Our work will just fill the
void. We are interested in the following issues: What
are the curves when there are two or more kinds of
worms interacting with each other at the same time
on Internet? Can we contain the worms on Internet
enlightened by the anti-worms?
3
A Taxonomy of Internet Worms
To understand the threat posed by Internet
worms and the effective countermeasure to contain
Internet worms, it is necessary to make clear the
classes of worms. We attempt to construct a
preliminary taxonomy based on worm’s action in
this part.
Definition 1 Worm: Worm is a program that
can run by itself and can propagate a fully working
version of itself to other machines [８].
There are two basic properties in worm
according to the definition, and they can be
described as the followings:
Class worm{
Property propagation;
Property self-replicating;
}
Definition 2 Vicious Worm: Vicious worm
(Vworm) is a program that can run by itself and can
propagate a fully working version of itself to other
machines, but its purpose is to waste the resource of
communicating and computing or to steal the
information from the computers on Internet.
There are some more “virtual properties” in
Vworm than those in worm. Described in the
followings:
Class vicious_worm : publish worm {
Virtual Property hiding;
Virtual Property destroying;
}
Note that the “virtual property” means a Vworm
can have the property or not. So we conclude that a
Vworm is a kind of worm that maybe has some
other “virtual properties”. For example, worm
Nimda is a Vworm with destroying property, which
can add some scripts to the web file (.html or .asp
file) to propagation. And worm Code Red is a
Vworm without any extra virtual properties.
According to the difference in the property
“destroying” of the Vworms, we divide Vworm into
two classes: the worm closing the vulnerability
(CVworm) and the worm not closing the
vulnerability of the infected host (NVworm) after
entering it.
Definition 3 Friendly Worm: Friendly worm
(Fworm) is a program that can run by itself and can
propagate a fully working version of itself to other
machines, but its purpose is to recover the vulnerable
hosts and to kill the vicious worm.
There are two extra properties and one
overriding properties in Fworm. We describe it
in the followings:
Class friendly_worm : public worm{
Property propagation;
Property countermeasure;
Property self-killing;
}
According to the different countermeasures to
different Vworms, we divide Fworm into two kinds:
the worm patching the susceptible hosts (SFworm)
and the worm recovering the infected hosts
(IFworm), referring to definition 4 and definition 5.
Note that the recovering action includes killing the
Vworm and patching the vulnerability.
Definition 4 SFworm: The SFworm is a sort of
Fworm that can patch the susceptible hosts in its
countermeasure, and then the host will never be
infected with the Vworm. SFworm enters the
3
susceptible hosts in the same entry with Vworm.
Definition 5 IFworm: The IFworm is a sort of
Fworm, just like worm cheese. It can kill the Vworm
and patch the infected hosts, and then the host will
never be infected with the Vworm. IFworm enters
the infected hosts by the new backdoor that Vworm
left after entering it.
As described above, if a Fworm, including
SFworm and IFworm, inherits the same propagation
way from worm, it will have the same properties
with Vworm, and then we name it “Failing Fworm
(FFworm)”. Worm welchia is a FFworm, because it
propagates in the same way with Vworm MSBlaster,
and it has caused even more loss than Vworm
MSBlaster. Then we propose action-based worm
taxonomy, as described in the followings:
Fig.1 Action-based worm taxonomy
Base on the taxonomy, IFworm is sent out to
contain NVworm and SFworm is used to patch the
susceptible hosts. Add also, if a Vworm doesn’t
close vulnerability after entering the hosts, IFworm,
which is same with SFworm at this condition, will
be sent out to both patch the susceptible hosts and
contain the Vworm in the infected hosts.
Simulation Of MSBlaster Together
With Welchia
4
4.1
the model.
Definition 6 Susceptible Host: Suppose a host
has a vulnerability, which can be exploited by a
worm to enter the host, and then if the Vworm has
not infected it, the host is in susceptible state.
Definition 7 Immune Host: Suppose a host has
a vulnerability, which can be exploited by a worm to
enter the host, and then if Fworm patches the host
before Vworm entering it, the host is in immune state
after being patched.
Definition 8 Recovered Host: Suppose a host
was infected with a Vworm, and then if the Fworm
kills the Vworm and patches the host, the host is in
recovered state after being recovering. The recovered
host is different from the immune host due to the
different original state.
Definition 9 Infected Host: Suppose a host
has been infected with a worm, but the worm closed
the backdoor or the vulnerability, such as worm
LiOn, the host is in infected state. That means the
host will probe or is probing other hosts.
A host stays in one of the four states at any
time: susceptible, infected, immune and recovered.
There are two practical state transition flows. Firstly
if the vicious worm is a CVworm, which closes the
vulnerability after entering the vulnerable hosts,
IFworm will be sent out to contain CVworms and
Sfworm will be sent out to patch the susceptible
hosts. Thus the state transition of any host can be
“susceptible  infected  recovered” or
“susceptible  recovered”, as figured in Fig. 2.
Secondly if the vicious worm is a NVworm, which
doesn’t close the vulnerability after infecting the
susceptible host, IFworm will be sent out to both
contain the Vworm and patch the vulnerable hosts.
Thus the state transition is same with we mentioned
above, but only IFworm is same with SFworm in
this situation.
Description of simulation model
In the simulation, we model the propagation of
Vworm together with Fworm. From the worm’s
point of view, SFworm and IFworm remove some
hosts from worm spreading circulation, including
both hosts that are infected and hosts that are still
susceptible. In other words, the removal process
consists of two parts: removal of the infected hosts
and removal of the susceptible hosts. We give some
definitions first before make a detail description on
Fig.2 Host states transition
4.2
Simulation experiments
In this part, we want to simulate the
propagation of MSBlaster (a NVworm) together
with Welchia (a Failing Fworm). The system in our
simulation consist of M hosts that can reach each
other directly, thus there is no topology issue in our
simulation.
Each copy of worm MSBlaster on an infected
host will begin infection at an address either based
off the local machine's IP address, or a completely
random address, and then attempt to infect
sequential IP addresses endlessly. Each time a host is
infected, there is a 40% chance that it will begin at
the first address of its "Class C"-size subnet (x.x.x.0),
and a 60% chance that it will start at a completely
random IP address with the last octet set to 0
([1-254].[0-253].[0-253].0). If the starting address is
based off of the local address, and the third octet is
greater than 20, it will be reduced by a random
number between 0 and 19. Worm Welchia will scan
for the MSBLAST.EXE file, interrupt it and finally
delete it, after successful entering the vulnerable
host. And then it scans the Windows system folders
and looks for downloaded patches. If the patch
against the DCOM RPC vulnerability has not been
installed, Welchia will initiate the downloading
process. Once the patch is successfully downloaded
and executed, the worm re-boots the computer to
complete installation.
We simulate two scenarios. Firstly, MSBlaster
will propagate without any countermeasure, and
there are two states in this model: susceptible and
infected. Then the state transition of the vulnerable
hosts is “susceptible host  infected host”. In the
second scenario, we simulate the propagation when
worm Wilchia sent out to contain worms. As
mentioned above, Wilchia will kill the worm
MSBlaster if it exists in the vulnerable hosts. Then
Wilchia will patch the host. So the state transition of
the vulnerable hosts is “susceptible host  infected
host  removed host; susceptible host  immune
host”.
For the purpose of comparison, we plot the
simulation results of the two scenarios in Fig. 3.
(Suppose that 0.04 percent of the total hosts are
infected with MSBlaster; 0.03 percent of the total
hosts are infected with Welchia in the second
scenario; the propagation rate of the three worms is
on average 4 scans/s.)
Error!
Fig. 3 Propagation model of
MSBlaster together with Weilchia
Comparing our simulation curves in Fig. 3, we
observe that, after sending out worm welchia, the
proportion of worm MSBlaster increases first and
decreases after time t = 10, that is because the
number of the new recovered hosts by Weichia is
bigger than the new infected hosts. The total number
of both worms is bigger than that in the original
situation without worm welchia, and the prior reach
the maximum of the proportion than the latter, which
can be conclude from the curve “sum proportion of
welchia and MSBlaster” and the curve “Proportion
of MSBlaster without any countermeasure”.
What we mentioned above proves that the
worm epidemic situation will be serious after
Welchia is sent out.
Two new worm propagation
models
5
Fworm is also a worm, and it can bring extra
traffic load to network if it is lost of control, just like
worm Welchia. So we have to set up a numerical
model to evaluate the situation under the
countermeasure. And in this part, we will give a
farther research on the numerical model of the
propagation based on the simulation above. By use
of the numerical model, we can forecast the worm
epidemic situation under active countermeasure and
not under active countermeasure.
Add also, we deem the number of hosts is not
important, but the proportion of the hosts in every
5
state is important. So we use the proportion value as
the main parameters of our model, referring to table
1.
Table 1: Notation in this paper
Notation Definition
M
Total number of hosts under
consideration
S(t)
The proportion of susceptible hosts at
time t.
I(t)
The proportion of infected hosts at
time t.
V(t)
The proportion of vulnerable hosts at
time t. V(t) = I(t) + S(t)
RS(t)
The proportion of immune hosts with
SFworm at time t.
RI(t)
The proportion of removed hosts
with IFworm at time t.
R(t)
The proportion of immune hosts.
R(t)= RS(t)+ RI(t)
α
The worm propagation rate
γS
The SFworm propagation rate
γI
The IFworm propagation rate
There are two instances: the first is that the
CVworm closes the vulnerability and leave a new
backdoor after entering the vulnerable hosts, such as
worm LiOn; the second is that the NVworm doesn’t
close the vulnerability after entering the vulnerable
hosts.
In the prior situation, SFworm is sent out to
patch the susceptible hosts, which can enter the hosts
in the same entry with CVworm, and IFworm is sent
out to kill the vicious worm and patch the
vulnerability by entering the infected hosts with the
new backdoor, such worm cheese. In the latter
situation, IFworm and SFworm are same and they
can enter the infected hosts and the susceptible hosts
in the same way with NVworm. We will give
different numerical model according to different
instance.
5.1
IFworm and SFworm VS. CVworm
Let M denote the total number of the hosts
under consideration; RS(t) denote the proportion of
immune hosts with SFworm at time t; S(t) denote
the proportion of susceptible hosts at time t, γS
denote the SFworm propagation rate. Then the
change in the number of the immune hosts with
SFworm RS(t) from time t to time t +Δt follows the
equation:
M  RS t  t   M  RS t    S  S t  M  RS t  t
—— ( 1 )
In Eq. (1), γS × S(t) is the probability for an SFworm
to scan the susceptible hosts, and M × RS(t) is the
total number of the SFworm at time t.
Let RI(t) denote the proportion of immune hosts
with IFworm at time t; I(t) denote the proportion of
infected hosts at time t, γI denote the IFworm
propagation rate. Then the change in the number of
the removed hosts with IFworm RI(t) from time t to
time t +Δt follows the equation:
M  RI t  t   M  RI t  
 I  I t  M  RI t  t
—— ( 2 )
In Eq. (2), γI × I(t) is the probability for a IFworm to
scan the infected hosts, and M × RI(t) is the total
number of the IFworm at time t.
Referring to Eq.(1) and Eq.(2) the change in the
number of the infected hosts from time t to time
t+Δt follows the equation:
M  I t  t   M  I t  
  S t  M  I t  t   I  I t  M  RI t  t
—— ( 3 )
And the change in the number of the susceptible
hosts from time t to time t+Δt follows the equation:
M  S t  t   M  S t  
  S  S t   M  RS t   t    S t   M  I t   t
—— ( 4 )
Note that S(t) + I(t) + R(t) = M and R(t) = RS(t)
+ RI(t) holds for any time t. Hence, we have
S t '    S t  I t   RS t '
 I t '    S t  I t   R t '
I

 RS t '   S  S t  RS t  FS t 
—— ( 5 )









R
t
'



I
t

R
t

F
t
I
I
I
 I

1 t  t Si And t  t Ei

i  S, I
 Fi t   
0
t

t
Or
t

t
Si
Ei


 Rt   R t   R t 
S
I

0  S t , I t , Rt   1
S t   I t   Rt   1


  0,  S  0,  I  0,  I   S  0
We refer to the model described by Eq(5) as the
two-friendly-worm worm propagation model, and
the propagation worm Lion and worm Cheese
belongs to this model by setting γS=0. In fact,
SFworm and IFworm will not propagate forever, and
then we model the life cycle of SFworm as a
function of time, i.e., Fi(t).
In order to testify to the correctness of the
a. Numerical solution of the model
model, we propose a numerical solution of the
model. For parameters I0=0.0004, RS0=RI0=0.0003,
α=γS=γI=4.00, we obtain a numerical solutions of
two-friendly-worm worm propagation model and
plot them in Fig. 4 (a). For the purpose of
comparison, we also plot the simulation under the
same parameters right beside our numerical solution,
as figured in Fig. 4 (b).
b. Simulation result
Fig.4 Comparison of numerical solution
and simulation
The numerical solution curves are consistent
with our simulation well. Fig. 4 (a) shows that the
number of infectious hosts I(t) reaches its maximum
value at t = 224, and it is about 52% of the
maximum value in the original classical simple
epidemic model, which can be obtained from our
model by setting the parameters γS =γI = 0. From
then on it decreases because the number of removed
infected hosts in a unit time is greater than the
number of newly generated infected hosts at the
same time. Before t = 224, the number of newly
generated immune hosts are much greater than the
newly generated removed hosts; but after t = 224, it
is reverse. That means the SFworm work effectively,
just like worm, from the starting time; but, after t =
224, the susceptible hosts are very difficult to probe,
both worm and SFworm will propagate slowly; and
then the IFworm begin to work effectively to recover
the infected hosts.
In order to make it more clearly, we give some
other special numerical solutions. These curves have
different initiative value at the starting time. From
left to right in Fig. 6, the proportion of the infected
hosts is 0.4%, 10%, and 80%. The initiative
proportion of the SFworm γS = 0 and the initiative
proportion of the IFworm γI = 0.3% in all of
following figures. The other parameters are same to
that in Fig. 4. In each sub-figure of Fig. 5, we plot
S(t), I(t), and R(t) in each one.
Fig. 5 Worm propagation with different parameters
Fig. 5 shows IFworm can recover all of the
infected hosts at any situation, and even when
worm reaches its maximum value. But if we send
out IFworm at the starting time, the proportion of
the infected hosts will also nearly reach its
maximum value. So we can conclude that the
main period, when the proportion of the IFworms
increases fast, is after the peak value of worm
epidemic.
Factor δ: We model it as a function of time, i.e.,
δ(t). From the point of network, if one worm scan
is sent out in one unit time, there is one effective
touch to network. So δ(t) is the product of the
worm propagation rate α and the number of
worms M*I(t), where I(t) is the proportion of the
infected hosts at time t. Then we have:
 t     M * I t 
——( 10 )
Definition 11 Worms Absolute Impact
5.2
IFworm (SFworm) VS. NVworm
In this situation, the IFworm is same to
SFworm, and then γS = γI =γ. Let R(t) denote the
sum of RS(t) and RI(t), then we have
RS t '    S t   Rt 
——( 6 )
and the propagation rate of each worm is αn. (0≤
n<N) Then:
N 1
Impact analysis
From result of the numerical solution and
simulation, we can conclude that SFworm and
IFworm can contain the worm epidemic
effectively. But both of them are also worms, and
they will bring extra traffic load to network. In this
part, we will analyze the impact worms bring to
the network after worm Welchia was sent out to
contain worm MSBlaster. It belongs to the
one-friendly-worm worm propagation model. At
last, based on the model, a new propagation way is
designed for Fworm to replace Welchia to contain
MSBlaster. We give some definitions first.
Definition 10 Worm Effective Touch
——( 11 )
n 0
——( 7 )
Substituting Eq.(6) and Eq.(7) into Eq(5) yields a
new differential equation. We refer to this worm
model described by the new equation as the
one-friendly-worm worm propagation model, and
the propagation of worm MSBlaster together with
worm Welchia belongs to this model. Because of
the limit of the paper, we will not give the solution
of this model, and the solution can be obtained by
referring to the two-friendly-worm worm
propagation model we gave above.
6
in network, the proportion of each worm is In(t),
 t     n t 
And
RI t '    I t  Rt 
Factor λ(t)： Suppose there are N kinds of worms
So we have the absolute impact factor in the
classical simple epidemic model and in our model:
0 t    0 t 

 t    I t    SI t    IR t 
Where δ0(t) is the effective touch factor
worms caused in the classical simple epidemic
model, δI(t) is caused by worms in our model,
δSI(t) is caused by SFworms, and δIR (t) is caused
by IFworms. Then λ(t) is the total impact in our
model.
Definition 12 Worms Relative Impact
Factor θ(t):
 t  
 t 
0 t 
——( 12 )
For parameters I0=0.0004, R0 =0.0003, α = γ
= 6.00, we analyze the impact to network when
worm MSBlaster and its anti-worm Welchia
propagate, and plot them in Fig. 7.
Fig. 7 (I) shows that the maximum impact
(λ(t) ), the total impact that both MSBlaster and
Welchia caused), after sending out worm Welchia
to network, is same to the maximum impact (λ0(t))
that worm LiOn cause without Welchia interacting
with it. But the differentia is that the peak value
arrives early, and the whole curve is moved ahead
after Welchia was sent out. (In Fig.7, λ(t) is about
0.1%~2.5% bigger than λ0(t) in the same time t).
That is why people said the epidemic became
serious after the anti-worm occurred, and then
Welchia is a FFworm in our worm taxonomy. Fig.
7 (II) shows that the maximum of θ(t) occurs at the
starting time, which is result of our initiative value.
We also conclude that Welchia will kill all of
worm MSBlaster, if time is enough. But the
impact to network will not decrease before
Welchia kill itself automatically. Just like worm
Welchia, which will kill itself after 01/01/2004,
but, in fact, it is too long from August 2003 to
January 2004 for users to wait.
Fig. 7 Numerical analysis of worm MSBlaster and Welchia
Improvopagatied pron study
Our final purpose is to contain vicious worm
effectively and not to cause the congestion to the
Internet. It is determined by two factors: the worm
propagating speed and the controllable strategy,
which are property propagation and property
self_killing in class friendly_worm. Worm
Welchia is a failing friendly worm, because it
aggravates the congestion to the Internet and it
cannot kill itself before 2004. So we will make an
abstract study on worm propagation way and
controllable strategy based on a simple analysis.
We make the following assumption: the set of
M vulnerable hosts are under consideration; V(t)
percent of hosts have vulnerability and R(t)
percent of the hosts are recovered with Fworm at
time t; α is the average scan rate per Fworm; there
is only one recovered host with Fworm at starting
time and the scanning space is M. During
propagation, each copy of Fworm will divide its
scanning space into N sub-space and only one
copy is sent to one sub-space. Then the original
Fworm passes the sub-space to the new copy as its
scanning space and continues to scan the remain
space. If the scanning space of a Fworm is null, it
will kill itself. We give a simulation on the
parameters N =4, M = 100,000, R(t) = 0.001%,
V(t) = 1 – R(t), as figured in Fig. 8:
1.2
1
Proportion
7
In Fig. 8, we model the proportion of the
recovered hosts and the proportion of the hosts
with friendly worm as a function of time t. We can
conclude that the friendly worm will die away
along with the propagation scale. This strategy is
better than Welchia, which will kill itself after
2004.
0.8
Total Recovered
Hosts
0.6
0.4
Recovered Hosts
with Friendly
Worm
0.2
0
0
10
20
30
40
50
time:t
Fig. 8 A controllable friendly worm
propagation model
And then we will compare the propagating
speed. We give a simulation on the parameters N
=4, M = 100,000, R(t) = 0.001%, I(t) = 0.4%, S(t)
= 1 – R(t) – I(t), and let the friendly worm
propagate in the respective way, as figured in
Fig .9 (a) and (b) .
From comparison in Fig. 9, we conclude that
the total proportion of infected hosts in our
propagation way decreases slower than that in the
original way after the peak value, but the sum
proportion of both worms is much bigger that in
the original, this is another key factor that
determines the congestion to the Internet. Much
effective friendly worm can be designed to contain
the vicious worm, and we will not introduce it here
due to the limit of the paper.
a. Friendly worm propagate in improved way
b. Friendly worm propagate in original way
Fig. 9 Comparison of propagation way
8
Conclusion
Enlightened by the existing “friendly worm”,
such as Welchia, we have constructed a taxonomy
of worms based on the worm’s action. By the
taxonomy, we can understand the threat posed by
Internet worms. After simulating and analyzing the
propagation model of worms together with
anti-worms, we prove that the worm Welchia will
bring more congestion to network if it propagates
in the original way.
By the improved propagation way, friendly
worm have better controllable policy and can
propagate faster. It is not the best way, but it is a
new research field. We will introduce them in
detail in other papers.
Reference:
[１] D. Seeley. A tour of the worm. In Proc. of the
Winter Usenix Conference, San Diego, CA, 1989.
[２] E. Spafford, “The Internet Worm: Crisis and
Aftermath,” Communications of the ACM, vol.
32, no. 6, pp. 678–687, June 1989.
[３] D.J. Daley and J. Gani. Epidemic Modelling:
An Introduction. Cambridge University Press,
1999.
[４] J. C. Frauenthal. Mathematical Modeling in
Epidemiology. Springer-Verlag, New York, 1980.
[５] Z. Chen, L. Gao, and K. Kwiat. Modeling the
Spread of Active Worms, In IEEE INFOCOM,
2003.
[６] D. Moore and C. Shannon, “Code-Red: a
Case Study on the Spread and Victims of an
Internet Worm,” in Proceedings of the 2002 ACM
SICGOMM Internet Measurement Workshop,
Marseille, France, Nov. 2002, pp. 273–284.
[ ７ ] D. Song, R. Malan, and R. Stone, “A
Snapshot of Global Internet Worm Activity,”
Arbor Networks, Tech. Rep., Nov. 2001.
[８] Eugene H. Spafford, “The Internet worm
program: an analysis”, ACM Computer
Communication Review, 1989, 19 (1): 17～57.
http://www.cerias.purdue.edu/homes/spaf/tech-rep
s/823.ps