ABSTRACT
Although worms have evolved from both technological and
social engineering perspectives, there has been little change
in the basic method of propagation-the initial scanning
phase in which the worm looks for the vulnerable hosts.
Once a worm reaches an installation base of 10,000 or more
hosts, propagation becomes exponentially faster. In virtually
all cases to date, worms have been slow to find the initial
10,000 or so exploitable hosts. During this scanning phase,
worms produce quite a bit of “noise” as they scan random
address ranges across the Internet, looking for targets. This
causes firewalls and intrusion detection system (IDS) sys-
tems to generate alerts and serves as an early warning that a
new worm is winding its malicious way across the Internet.
