1
Abstract: There are some known anti-worms used to kill worms and recover the infected machines, but they always aggravate the epidemic situation on the contrary due to the absence of theoretical model and the corresponding experiments. This paper describes an action-based taxonomy of Internet worm.
By the taxonomy, we propose an all-purpose propagation model on worms together with anti-worms, and then we simulate and analyze the propagation of worm MSBlaster together with Welchia as a case study. At last, a fast anti-worm with low traffic load is proposed to make comparison with Welchia to contain MSBlaster. This paper leads to a better understanding and prediction of the scale and speed of
Internet worm together with its anti-worm spreading.
Key-Words: Computer Security; action-based taxonomy; friendly worm; Worm propagation model;
1
Worm propagates through network, and attacks the vulnerability, which exists in much extensively used software, to exhaust the network resource.
Since the first worm created in 1988 [ １ ], the security threat posed by worms has steadily increased, especially in the last three years. The
Code Red worm and Nimda worm incidents of 2001 have shown us how vulnerable our networks are and how fast a worm can spread.
The reason for internet worm to be hard to control is that Internet is so open, complex and immense that causes us having no way to know or control all the hosts connected to internet .
The worms will stay in the hosts and attack other hosts for a long period if the uncontrolled hosts are infected with worms. So the key to control the
Internet worm is to find the solution to recovering those uncontrolled hosts.
Recently, some people begin to study the active countermeasure with anti-worm, which can be posted to the remote hosts to recover them actively.
The typical examples are as follows:
· 2001, worm Cheese was released to Internet against worm LiOn .
· 2001, worm CodeGreen and CRClean were
But the result is not very prefect. Especially,
Welchia has caused a mass of loss and high impact on Internet. There is no successful and influential case on worm countermeasure until now due to the absence of theoretical model and the corresponding experiments.
2 developed against worm CodeRed, but both of them were not released to Internet.
· 2003, worm Welchia was released to Internet against worm MSBlaster.
The firstly well-known Internet worm was
Morris that self-propagated across a network by exploiting security vulnerabilities in host software.
Morris is the modern archetype for contemporary
Internet worms, and it has infected several thousand hosts and disrupted Internet-wide communication due to its high growth rate [ ２ ].
Research on Internet worm became really hot after worm code-red was released. D.J. Daley and J.
Gani. Provide a simple epidemic model, which assumes that each host stays in one of two states: susceptible or infectious. The model further assumes that once a worm infects a host, the host will stay in the infectious state forever. Thus a host can only

have one possible state transition: “susceptible
 infectious” [ ３ ]. J. C. Frauenthal’s K-M epidemic model considers the removal process of infectious hosts [ ４ ]. It assumes that during the epidemic situation some infectious hosts either recover or die.
Once a host dies or recovers from the disease, it will be immune to the disease forever. Z. Chen presents a mathematical model, referred to as the Analytical
Active Worm Propagation (AAWP) model, which characterizes the propagation of worms that employ random scanning [ ５ ]. Moore and Shannon have also published an empirical analysis of Code-Red’s growth, repair, and geography based on observed probes [ ６ ] to a dedicated class A network. Song et al. reproduced parts of this study and further distinguished between different simultaneously active worms [ ７ ].
None of the research has considered the two or more worms’ propagation together, such as worm
LiOn together with cheese and worm MSBlaster together with Welchia. Our work will just fill the void. We are interested in the following issues: What are the curves when there are two or more kinds of worms interacting with each other at the same time on Internet? Can we contain the worms on Internet enlightened by the anti-worms?
3
To understand the threat posed by Internet worms and the effective countermeasure to contain
Internet worms, it is necessary to make clear the classes of worms. We attempt to construct a preliminary taxonomy based on worm’s action in this part.
Definition 1 Worm: Worm is a program that can run by itself and can propagate a fully working version of itself to other machines [ ８ ].
There are two basic properties in worm according to the definition, and they can be described as the followings:
Class worm{
Property propagation;
Property self-replicating;
}
Definition 2 Vicious Worm: Vicious worm
(Vworm) is a program that can run by itself and can propagate a fully working version of itself to other machines, but its purpose is to waste the resource of communicating and computing or to steal the information from the computers on Internet.
There are some more “virtual properties” in
Vworm than those in worm. Described in the followings:
Class vicious_worm : publish worm {
Virtual Property hiding;
Virtual Property destroying;
}
Note that the “virtual property” means a Vworm can have the property or not. So we conclude that a
Vworm is a kind of worm that maybe has some other “virtual properties”. For example, worm
Nimda is a Vworm with destroying property, which can add some scripts to the web file (.html or .asp file) to propagation. And worm Code Red is a
Vworm without any extra virtual properties.
According to the difference in the property
“destroying” of the Vworms, we divide Vworm into two classes: the worm closing the vulnerability
(CVworm) and the worm not closing the vulnerability of the infected host (NVworm) after entering it.
Definition 3 Friendly Worm: Friendly worm
(Fworm) is a program that can run by itself and can propagate a fully working version of itself to other machines, but its purpose is to recover the vulnerable hosts and to kill the vicious worm.
There are two extra properties and one overriding properties in Fworm. We describe it in the followings:
Class friendly_worm : public worm{
Property propagation;
Property countermeasure;
Property self-killing;
}
According to the different countermeasures to different Vworms, we divide Fworm into two kinds: the worm patching the susceptible hosts (SFworm) and the worm recovering the infected hosts
(IFworm), referring to definition 4 and definition 5.
Note that the recovering action includes killing the
Vworm and patching the vulnerability.
Definition 4 SFworm: The SFworm is a sort of
Fworm that can patch the susceptible hosts in its countermeasure, and then the host will never be infected with the Vworm. SFworm enters the

3 susceptible hosts in the same entry with Vworm.
Definition 5 IFworm: The IFworm is a sort of
Fworm, just like worm cheese. It can kill the Vworm and patch the infected hosts, and then the host will never be infected with the Vworm. IFworm enters the infected hosts by the new backdoor that Vworm left after entering it.
As described above, if a Fworm, including
SFworm and IFworm, inherits the same propagation way from worm, it will have the same properties with Vworm, and then we name it “ Failing Fworm
(FFworm)”. Worm welchia is a FFworm, because it propagates in the same way with Vworm MSBlaster, and it has caused even more loss than Vworm
MSBlaster. Then we propose action-based worm taxonomy, as described in the followings:
Fig.1 Action-based worm taxonomy
Base on the taxonomy, IFworm is sent out to contain NVworm and SFworm is used to patch the susceptible hosts. Add also, if a Vworm doesn’t close vulnerability after entering the hosts, IFworm, which is same with SFworm at this condition, will be sent out to both patch the susceptible hosts and contain the Vworm in the infected hosts.
4
the model.
Definition 6 Susceptible Host: Suppose a host has a vulnerability, which can be exploited by a worm to enter the host, and then if the Vworm has not infected it, the host is in susceptible state.
Definition 7 Immune Host: Suppose a host has a vulnerability, which can be exploited by a worm to enter the host, and then if Fworm patches the host before Vworm entering it, the host is in immune state after being patched.
Definition 8 Recovered Host: Suppose a host was infected with a Vworm, and then if the Fworm kills the Vworm and patches the host, the host is in recovered state after being recovering. The recovered host is different from the immune host due to the different original state.
Definition 9 Infected Host: Suppose a host has been infected with a worm, but the worm closed the backdoor or the vulnerability, such as worm
LiOn, the host is in infected state. That means the host will probe or is probing other hosts.
A host stays in one of the four states at any time: susceptible, infected, immune and recovered.
There are two practical state transition flows. Firstly if the vicious worm is a CVworm, which closes the vulnerability after entering the vulnerable hosts,
IFworm will be sent out to contain CVworms and
Sfworm will be sent out to patch the susceptible hosts. Thus the state transition of any host can be
“susceptible  infected  recovered” or
“susceptible 
recovered”, as figured in Fig. 2.
Secondly if the vicious worm is a NVworm, which doesn’t close the vulnerability after infecting the susceptible host, IFworm will be sent out to both contain the Vworm and patch the vulnerable hosts.
Thus the state transition is same with we mentioned above, but only IFworm is same with SFworm in this situation.
4.1
In the simulation, we model the propagation of
Vworm together with Fworm. From the worm’s point of view, SFworm and IFworm remove some hosts from worm spreading circulation, including both hosts that are infected and hosts that are still susceptible. In other words, the removal process consists of two parts: removal of the infected hosts and removal of the susceptible hosts. We give some definitions first before make a detail description on
Fig.2 Host states transition

4.2
In this part, we want to simulate the propagation of MSBlaster (a NVworm) together with Welchia (a Failing Fworm). The system in our simulation consist of M hosts that can reach each other directly, thus there is no topology issue in our simulation.
Each copy of worm MSBlaster on an infected host will begin infection at an address either based off the local machine's IP address, or a completely random address, and then attempt to infect sequential IP addresses endlessly. Each time a host is infected, there is a 40% chance that it will begin at the first address of its "Class C"-size subnet (x.x.x.0), and a 60% chance that it will start at a completely random IP address with the last octet set to 0
([1-254].[0-253].[0-253].0). If the starting address is based off of the local address, and the third octet is greater than 20, it will be reduced by a random number between 0 and 19. Worm Welchia will scan for the MSBLAST.EXE file, interrupt it and finally delete it, after successful entering the vulnerable host. And then it scans the Windows system folders and looks for downloaded patches. If the patch against the DCOM RPC vulnerability has not been installed, Welchia will initiate the downloading process. Once the patch is successfully downloaded and executed, the worm re-boots the computer to complete installation.
We simulate two scenarios. Firstly, MSBlaster will propagate without any countermeasure, and there are two states in this model: susceptible and infected. Then the state transition of the vulnerable hosts is “susceptible host

infected host”. In the second scenario, we simulate the propagation when worm Wilchia sent out to contain worms. As mentioned above, Wilchia will kill the worm
MSBlaster if it exists in the vulnerable hosts. Then
Wilchia will patch the host. So the state transition of the vulnerable hosts is “susceptible host  infected host

removed host; susceptible host

immune host”.
For the purpose of comparison, we plot the simulation results of the two scenarios in Fig. 3.
(Suppose that 0.04 percent of the total hosts are infected with MSBlaster; 0.03 percent of the total hosts are infected with Welchia in the second scenario; the propagation rate of the three worms is on average 4 scans/s.)
Ошибка!
Fig. 3 Propagation model of
MSBlaster together with Weilchia
Comparing our simulation curves in Fig. 3, we observe that, after sending out worm welchia, the proportion of worm MSBlaster increases first and decreases after time t = 10, that is because the number of the new recovered hosts by Weichia is bigger than the new infected hosts. The total number of both worms is bigger than that in the original situation without worm welchia, and the prior reach the maximum of the proportion than the latter, which can be conclude from the curve “sum proportion of welchia and MSBlaster” and the curve “Proportion of MSBlaster without any countermeasure”.
What we mentioned above proves that the worm epidemic situation will be serious after
Welchia is sent out.
5
Fworm is also a worm, and it can bring extra traffic load to network if it is lost of control, just like worm Welchia. So we have to set up a numerical model to evaluate the situation under the countermeasure. And in this part, we will give a farther research on the numerical model of the propagation based on the simulation above. By use of the numerical model, we can forecast the worm epidemic situation under active countermeasure and not under active countermeasure.
Add also, we deem the number of hosts is not important, but the proportion of the hosts in every

5 state is important. So we use the proportion value as the main parameters of our model, referring to table
1.
Table 1: Notation in this paper
α
γ
S
γ
I
Notation Definition
M
S(t)
Total number of hosts under consideration
The proportion of susceptible hosts at time t.
I(t)
V(t)
The proportion of infected hosts at time t.
The proportion of vulnerable hosts at time t. V(t) = I(t) + S(t)
R
S
(t)
R
I
(t)
The proportion of immune hosts with
SFworm at time t.
The proportion of removed hosts with IFworm at time t.
R(t) The proportion of immune hosts.
R(t)= R
S
(t)+ R
I
(t)
The worm propagation rate
The SFworm propagation rate
The IFworm propagation rate
There are two instances: the first is that the
CVworm closes the vulnerability and leave a new backdoor after entering the vulnerable hosts, such as worm LiOn; the second is that the NVworm doesn’t close the vulnerability after entering the vulnerable hosts.
In the prior situation, SFworm is sent out to patch the susceptible hosts, which can enter the hosts in the same entry with CVworm, and IFworm is sent out to kill the vicious worm and patch the vulnerability by entering the infected hosts with the new backdoor, such worm cheese. In the latter situation, IFworm and SFworm are same and they can enter the infected hosts and the susceptible hosts in the same way with NVworm. We will give different numerical model according to different instance.
5.1
Let M denote the total number of the hosts under consideration; R
S
(t) denote the proportion of immune hosts with SFworm at time t; S(t) denote the proportion of susceptible hosts at time t, γ
S denote the SFworm propagation rate. Then the change in the number of the immune hosts with
SFworm R
S
(t) from time t to time t + Δ t follows the equation:
M

R
S
 t
  t


M

R
S



S

S



M

R
S

  t
—— ( 1 )
In Eq. (1), γ
S
× S(t) is the probability for an SFworm to scan the susceptible hosts, and M × R
S
(t) is the total number of the SFworm at time t.
Let R
I
(t) denote the proportion of immune hosts with IFworm at time t; I(t) denote the proportion of infected hosts at time t, γ
I
denote the IFworm propagation rate. Then the change in the number of the removed hosts with IFworm R
I
(t) from time t to time t + Δ t follows the equation:
M


R
I

I
 t


I
 t
  



M

M

R
I

R
I
 
  

  t
—— ( 2 )
In Eq. (2), γ
I
× I(t) is the probability for a IFworm to scan the infected hosts, and M × R
I
(t) is the total number of the IFworm at time t.
Referring to Eq.(1) and Eq.(2) the change in the number of the infected hosts from time t to time t+ Δ t follows the equation:

M
 

I
S
 t
  


 t


M


M
I

 
I

  t




I

I



M

R
I

  t
—— ( 3 )
And the change in the number of the susceptible hosts from time t to time t+ Δ t follows the equation:
M




S
S

 t
S

 
 t





M
M


R
S
S t
 


  t


 
S



M

I

  t
—— ( 4 )
Note that S(t) + I(t) + R(t) = M and R(t) = R
S
(t)
+ R
I
(t) holds for any time t. Hence, we have






I
S
R
I
 
 
R
S
'
'
 
 
'


'



 



I
S

S


S
I t
S
   

' t
 


R
S
R
I t
 


F
S
F
I t
 
 
F i







R
0
S

     
 t t
 
     
   

S



0 ,
I


1

 0
R
S
,
S t
I
 t t
 t t
,

0 ,

R

R
 t
  t
R
I t
I t
Si
Si
Or

And
 t

1
1
0 ,

I

R
I
R
S t
 t
 


 t
S
  t
Ei
Ei
'
 i
0

—— ( 5 )
S , I

We refer to the model described by Eq(5) as the two-friendly-worm worm propagation model, and the propagation worm Lion and worm Cheese belongs to this model by setting γ
S
=0. In fact,
SFworm and IFworm will not propagate forever, and then we model the life cycle of SFworm as a function of time, i.e., F i
(t).
In order to testify to the correctness of the model, we propose a numerical solution of the model. For parameters I
0
=0.0004, R
S0
=R
I0
=0.0003,
α=γ
S
=γ
I
=4.00, we obtain a numerical solutions of two-friendly-worm worm propagation model and plot them in Fig. 4 (a). For the purpose of comparison, we also plot the simulation under the same parameters right beside our numerical solution, as figured in Fig. 4 (b).
a. Numerical solution of the model b. Simulation result
Fig.4 Comparison of numerical solution and simulation
The numerical solution curves are consistent with our simulation well. Fig. 4 (a) shows that the number of infectious hosts I(t) reaches its maximum value at t = 224, and it is about 52% of the maximum value in the original classical simple epidemic model, which can be obtained from our model by setting the parameters γ
S
=γ
I
= 0. From then on it decreases because the number of removed infected hosts in a unit time is greater than the number of newly generated infected hosts at the same time. Before t = 224, the number of newly generated immune hosts are much greater than the newly generated removed hosts; but after t = 224, it is reverse. That means the SFworm work effectively, just like worm, from the starting time; but, after t =
224, the susceptible hosts are very difficult to probe, both worm and SFworm will propagate slowly; and then the IFworm begin to work effectively to recover the infected hosts.
In order to make it more clearly, we give some other special numerical solutions. These curves have different initiative value at the starting time. From left to right in Fig. 6, the proportion of the infected hosts is 0.4%, 10%, and 80%. The initiative proportion of the SFworm γ
S
= 0 and the initiative proportion of the IFworm γ
I
= 0.3% in all of following figures. The other parameters are same to that in Fig. 4. In each sub-figure of Fig. 5, we plot
S(t), I(t), and R(t) in each one.

Fig. 5 Worm propagation with different parameters
Fig. 5 shows IFworm can recover all of the infected hosts at any situation, and even when
Factor δ: We model it as a function of time, i.e.,
δ(t). From the point of network, if one worm scan worm reaches its maximum value. But if we send out IFworm at the starting time, the proportion of the infected hosts will also nearly reach its maximum value. So we can conclude that the main period, when the proportion of the IFworms increases fast, is after the peak value of worm epidemic. is sent out in one unit time, there is one effective touch to network. So δ(t) is the product of the worm propagation rate α and the number of worms M*I(t), where I(t) is the proportion of the infected hosts at time t. Then we have:
   
M
I ——
( 10 )
Definition 11 Worms Absolute Impact
5.2
Factor λ(t) ： Suppose there are N kinds of worms
In this situation, the IFworm is same to
SFworm, and then γ
S
= γ
I
=γ. Let R(t) denote the sum of R
S
(t) and R
I
(t), then we have
R
S t
 
'
  
S
   
—— ( 6 ) in network, the proportion of each worm is I n
(t), and the propagation rate of each worm is α n
. (0 ≤
And
R
I
 
  
I
   
—— ( 7 ) n<N) Then:
  n
N 

1

0
 n
—— ( 11 )
Substituting Eq.(6) and Eq.(7) into Eq(5) yields a new differential equation. We refer to this worm model described by the new equation as the one-friendly-worm worm propagation model, and the propagation of worm MSBlaster together with worm Welchia belongs to this model. Because of the limit of the paper, we will not give the solution of this model, and the solution can be obtained by referring to the two-friendly-worm worm propagation model we gave above.
6
From result of the numerical solution and simulation, we can conclude that SFworm and
IFworm can contain the worm epidemic effectively. But both of them are also worms, and they will bring extra traffic load to network. In this part, we will analyze the impact worms bring to the network after worm Welchia was sent out to contain worm MSBlaster. It belongs to the one-friendly-worm worm propagation model.
At last, based on the model, a new propagation way is designed for Fworm to replace Welchia to contain
MSBlaster. We give some definitions first.
Definition 10 Worm Effective Touch
So we have the absolute impact factor in the classical simple epidemic model and in our model:




0 t
 
 



I

0
 
 
 
SI
 
 
IR
 
Where δ
0
(t) is the effective touch factor worms caused in the classical simple epidemic model, δ
I
(t) is caused by worms in our model,
δ
SI
(t) is caused by SFworms, and δ
IR
(t) is caused by IFworms. Then λ(t) is the total impact in our model.
Definition 12 Worms Relative Impact
Factor θ(t):
  



0
 
  ——
( 12 )
For parameters I
0
=0.0004, R
0
=0.0003, α = γ
= 6.00, we analyze the impact to network when worm MSBlaster and its anti-worm Welchia propagate, and plot them in Fig. 7.
Fig. 7 (I) shows that the maximum impact
(λ(t) ), the total impact that both MSBlaster and
Welchia caused), after sending out worm Welchia to network, is same to the maximum impact (λ
0
(t)) that worm LiOn cause without Welchia interacting with it. But the differentia is that the peak value arrives early, and the whole curve is moved ahead after Welchia was sent out. (In Fig.7, λ(t) is about

0.1%~2.5% bigger than λ
0
(t) in the same time t).
That is why people said the epidemic became serious after the anti-worm occurred, and then
Welchia is a FFworm in our worm taxonomy. Fig.
7 (II) shows that the maximum of θ(t) occurs at the starting time, which is result of our initiative value.
We also conclude that Welchia will kill all of worm MSBlaster, if time is enough. But the impact to network will not decrease before
Welchia kill itself automatically. Just like worm
Welchia, which will kill itself after 01/01/2004, but, in fact, it is too long from August 2003 to
January 2004 for users to wait.
7
Our final purpose is to contain vicious worm effectively and not to cause the congestion to the
Internet. It is determined by two factors: the worm propagating speed and the controllable strategy, which are property propagation and property self_killing in class friendly_worm. Worm
Welchia is a failing friendly worm, because it aggravates the congestion to the Internet and it cannot kill itself before 2004. So we will make an abstract study on worm propagation way and controllable strategy based on a simple analysis.
We make the following assumption: the set of
M vulnerable hosts are under consideration; V(t) percent of hosts have vulnerability and R(t) percent of the hosts are recovered with Fworm at time t; α is the average scan rate per Fworm; there is only one recovered host with Fworm at starting time and the scanning space is M. During propagation, each copy of Fworm will divide its scanning space into N sub-space and only one copy is sent to one sub-space. Then the original
Fworm passes the sub-space to the new copy as its scanning space and continues to scan the remain space. If the scanning space of a Fworm is null, it will kill itself. We give a simulation on the parameters N =4, M = 100,000, R(t) = 0.001%,
V(t) = 1 – R(t), as figured in Fig. 8:
Fig. 7 Numerical analysis of worm MSBlaster and Welchia
In Fig. 8, we model the proportion of the recovered hosts and the proportion of the hosts with friendly worm as a function of time t. We can conclude that the friendly worm will die away along with the propagation scale. This strategy is better than Welchia, which will kill itself after
2004.
1.2
1
0.8
0.6
Total Recovered
Hosts
0.4
0.2
Recovered Hosts with Friendly
Worm
0
0 10 20 time:t
30 40 50
Fig. 8 A controllable friendly worm propagation model
And then we will compare the propagating speed. We give a simulation on the parameters N
=4, M = 100,000, R(t) = 0.001%, I(t) = 0.4%, S(t)
= 1 – R(t) – I(t), and let the friendly worm propagate in the respective way, as figured in
Fig .9 (a) and (b) .
From comparison in Fig. 9, we conclude that the total proportion of infected hosts in our propagation way decreases slower than that in the original way after the peak value, but the sum

proportion of both worms is much bigger that in the original, this is another key factor that determines the congestion to the Internet. Much effective friendly worm can be designed to contain the vicious worm, and we will not introduce it here due to the limit of the paper. a. Friendly worm propagate in improved way
Reference:
[
１
] D. Seeley. A tour of the worm. In Proc. of the
Winter Usenix Conference, San Diego, CA, 1989.
[
２
] E. Spafford, “The Internet Worm: Crisis and
Aftermath,” Communications of the ACM, vol.
32, no. 6, pp. 678–687, June 1989.
[
３
] D.J. Daley and J. Gani. Epidemic Modelling:
An Introduction. Cambridge University Press,
1999.
[
４
] J. C. Frauenthal. Mathematical Modeling in
Epidemiology. Springer-Verlag, New York, 1980.
[
５
] Z. Chen, L. Gao, and K. Kwiat. Modeling the
Spread of Active Worms, In IEEE INFOCOM,
2003.
[
６
] D. Moore and C. Shannon, “Code-Red: a
Case Study on the Spread and Victims of an
Internet Worm,” in Proceedings of the 2002 ACM
SICGOMM Internet Measurement Workshop,
Marseille, France, Nov. 2002, pp. 273–284.
[
７
] D. Song, R. Malan, and R. Stone, “A
Snapshot of Global Internet Worm Activity,”
Arbor Networks, Tech. Rep., Nov. 2001.
[
８
] Eugene H. Spafford, “The Internet worm program: an analysis”, ACM Computer
Communication Review, 1989, 19 (1): 17
～
57. http://www.cerias.purdue.edu/homes/spaf/tech-rep s/823.ps
b. Friendly worm propagate in original way
Fig. 9 Comparison of propagation way
8
Enlightened by the existing “friendly worm”, such as Welchia, we have constructed a taxonomy of worms based on the worm’s action. By the taxonomy, we can understand the threat posed by
Internet worms. After simulating and analyzing the propagation model of worms together with anti-worms, we prove that the worm Welchia will bring more congestion to network if it propagates in the original way.
By the improved propagation way, friendly worm have better controllable policy and can propagate faster. It is not the best way, but it is a new research field. We will introduce them in detail in other papers.