Recent Worms: A Survey and Trends Darrell M. Kienzle * Symantec Corporation 12801 Worldgate Dr. Suite 800 Herndon, VA 20170 703-668-8872 [email protected] Matthew C. Elder Network Associates 1145 Herndon Pkwy. Suite 500 Herndon, VA 20170 703-885-4814 [email protected] ABSTRACT In this paper, we present a broad overview of recent worm activity. Virus information repositories, such as the Network Associates' Virus Information Library, contain over 4500 different entries (through the first quarter of 2003). While many of these entries are interesting, a great number of them are now simply historical and a large percentage of them are completely derivative in nature. However, these virus information repositories are the best source of material on the breadth of malicious code, including worms. This paper is meant to provide worm researchers with a high-level roadmap to the vast body of virus and worm information. After sifting through hundreds of entries, we present only those that we considered breakthrough or novel, primarily from a technical perspective. As a result, we found ourselves omitting some of the most notorious worms simply because they lacked any original aspects. It is our hope that others in the community who need to get up to speed in the worm literature can benefit from this survey. While this study does not contain any original research, it provides an overview of worms using a truly breadth-first approach, which has been lacking in the existing worm literature. From this raw data, we have also extracted a number of broad quantitative and qualitative trends that we have found to be interesting. We believe that a workshop discussion of these, and other thoughts, will be engaging and informative. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection – Invasive software (e.g., viruses, worms, Trojan horses). General Terms Security. Keywords Malicious code, survey. 1. INTRODUCTION In March 2001, c|net declared that 2001 would be “The Year of the Worm” [6]. They predicted that fast-moving, self-replicating code would become the weapon of choice for those wanting to inflict widespread damage on the Internet. As it turns out, 2001 saw a renaissance in worm creation. This culminated in the release of Nimda, an incredibly sophisticated worm that made headlines worldwide. As part of a larger research project on detecting worm-like behavior, we conducted a study of recent worm activity. The goal of this study was to better understand recent trends in worm development and attempt to extrapolate future worm developments. In this paper, we present our findings about recent worms. We do not make any predictions about future worm developments, if for no other reason than we would rather not give anyone any ideas. We found conducting this exercise to be a very useful and insight-generating activity. While there are a number of excellent, detailed research papers describing specific, significant worms, we were unable to find a broad survey of worms in the literature. Using a breadth-first approach, we sorted through the thousands of malicious code descriptions to determine the ones that could be considered worms, then examined these worm descriptions to classify them and determine the ones that are truly interesting. The purpose of this paper is to aid others in the community by sharing this (tedious) legwork. We present here a roadmap to this vast library of virus and worm information, identifying those strains that we consider to be interesting to the worm researcher. Following the introduction that this paper provides, the worm researcher can then examine the many well-written, depth-first explorations of particular worms (e.g., Code Red [7] and Slammer [8]). In this paper, we discuss the past and present of worms and related malicious code (through the first quarter of 2003). The paper is structured as follows:  Section II presents some of the varying definitions for malicious code categories: worms, viruses, Trojan horses, remote access Trojans, and backdoors. We outline the significant distinctions that we are making to determine the worms that we include in this study. Then, we divide worms into three broad categories for detailed discussion of their key innovations and impact in the next three sections.  Section III reviews important e-mail worms.  Section IV reviews Windows file sharing worms.  Section V reviews traditional worms. * The author was with Network Associates while performing this work. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. WORM ’03, October 27, 2003, Washington, DC, USA. Copyright 2003 ACM 1-58113-785-0/03/0010…$5.00. 1 Section VI presents some high-level quantitative trends extracted from Network Associates' Virus Information Library.  Section VII proposes some of the qualitative trends we have observed and would be interested in discussing at the workshop.  Section VIII provides a brief summary. 2. DEFINITIONS AND CATEGORIES One of the impediments that we encountered in our study of worms was the different definitions and categorizations that various people use. In this section we outline the definitions of a worm and other types of malicious code, and we propose a definition for worm that we use for the remainder of the paper. We also describe our division of worms into three broad categories that we find useful for discussing recent trends. 2.1 What Constitutes a Worm? The scope of this survey is “recent worms.” For that reason, it is necessary to determine precisely what constitutes a worm. Unfortunately, a quick look at primary sources indicates that there is no consensus as to what that definition should be. For a good cross-section of the definitional landscape, please refer to the web sites of the various anti-virus companies and other security organizations, such as F-Secure [3], Network Associates [10], the SysAdmin, Audit, Network, Security (SANS) Institute [11], and Symantec [17]. We considered the following aspects of a definition