A term proposed by Nicholas C. Warner
of UC Berkeley
to describe an Internet
program designed for exceedingly rapid replication
. Warner described the Warhol Worm -- or rather, several design principles
for such a worm, in his eponymous paper, "Warhol Worms: The Potential for Very Fast Internet Plagues."
The name, of course, comes from Andy Warhol
's famous quote: "In the future, everybody will have 15 minutes of fame.
" Warner suggests that a properly-designed worm designed can spread within 15 minutes to saturate the pool of vulnerable
In brief, the Warhol Worm design principles are as follows:
A Warhol Worm is an active worm. That is to say, it spreads without the need for human intervention, along the lines of Code Red, li0n, and the Morris Worm rather than those of Melissa and other "email viruses".
A Warhol Worm uses one or more techniques to optimize its scanning of the IP address space for vulnerable hosts. These may include:
- The use of a hitlist -- a predetermined list of known vulnerable hosts to use as a seed population.
- The use of many concurrent scans from each infected host. Warner suggests that 100 addresses per second is a reasonable target.
- Division of the target address space among infected hosts. Scans carried out by the seed population should be designed so as not to probe the same target addresses from multiple seed hosts.
- The use of multiple scanning strategies -- pseudorandom permutation scans, random scans, sequential scans, and scans biased towards addresses on the infected host's local subnet.
- Coordination among infected hosts. When a worm host "discovers" another worm host in the course of a scan, each alters its scanning strategy to avoid redundancy.
- Timed, periodic, or random variations in behavior.
Warner suggests that targets for a Warhol Worm might include widely-deployed Microsoft products such as IIS and Microsoft Exchange, peer-to-peer file sharing software such as Gnutella or KaZaA, or instant messaging programs such as AIM and MSN. Each of these populations is widespread and has certain advantages for worm replication. A worm which exploits multiple services, of course, has a much wider potential base of victims.
What defense is possible against a worm which is actually well-designed to do its evil task? Besides the standard recommendations, Warner suggests two less frequently mentioned: the use of diverse implementations of network services (to limit the threat of any single security hole), and a more rapid migration to IPv6 so as to expand the address space beyond the practical limits of exhaustive scanning.
The Warhol Worm paper is available on the Web at http://www.cs.berkeley.edu/~nweaver/warhol.html.
Update, Sep. 18 2001: The Nimda worm -- also known as W32/Nimda@mm -- appears to be an example of several of the above features. Notably, it appears to attack multiple services (email, IIS, Internet Explorer, and SMB shares); to attack multiple vulnerabilities in a service (IIS); and to have been seeded with a hitlist of sites previously compromised via Code Red.