An Initial Analysis and Presentation of Malware Exhibiting  Swarm-Like Behavior  Fernando C.Col´on Osorio  Wireless System Security Research Laboratory  (W.S.S.R.L.)  420 Lakeside Avneue  Marlboro, Massachusetts 01752  fcco@cs.wpi.edu  Zachi Klopman  Wireless System Security Research Laboratory  (W.S.S.R.L.)  420 Lakeside Avneue  Marlboro, Massachusetts 01752  zachi@cs.wpi.edu  ABSTRACT  The Slammer, which is currently the fastest computer worm  in recorded history, was observed to infect 90 percent of all  vulnerable Internets hosts within 10 minutes. Although the  main action that the Slammer worm takes is a relatively   unsophisticated replication of itself, it still spreads so quickly  that human response was ineffective. Most proposed   countermeasures strategies are based primarily on rate detection  and limiting algorithms. However, such strategies are being  designed and developed to effectively contain worms whose  behaviors are similar to that of Slammer.  In our work, we put forth the hypothesis that next   generation worms will be radically different, and potentially  such techniques will prove ineffective. Specifically, we   propose to study a new generation of worms called Swarm  Worms, whose behavior is predicated on the concept of  emergent intelligence. Emergent Intelligence is the   behavior of systems, very much like biological systems such as  ants or bees, where simple local interactions of autonomous  members, with simple primitive actions, gives rise to   complex and intelligent global behavior. In this manuscript we  will introduce the basic principles behind the idea of Swarm  Worms, as well as the basic structure required in order to  be considered a swarm worm. In addition, we will present  preliminary results on the propagation speeds of one such  swarm worm, called the ZachiK worm. We will show that  ZachiK is capable of propagating at a rate 2 orders of   magnitude faster than similar worms without swarm capabilities.  Categories and Subject Descriptors  C.2.4 [Distributed Systems]: Intrusion Detection; D.4.6  [Security and Protection]: Invasive software    1. INTRODUCTION AND PREVIOUSWORK  In the early morning hours (05:30 GMT) of January 25,  2003 the fastest computer worm in recorded history began  spreading throughout the Internet. Within 10 minutes after  the first infected host (patient zero), 90 percent of all   vulnerable hosts had been compromised creating significant   disruption to the global Internet infrastructure. Vern Paxson of  the International Computer Science Institute and Lawrence  Berkeley National Laboratory in its analysis of Slammer  commented: The Slammer worm spread so quickly that   human response was ineffective, see [4] The interesting part,  from our perspective, about the spread of Slammer is that it  was a relatively unsophisticated worm with benign behavior,  namely self-reproduction. Since Slammer, researchers have  explored the behaviors of fast spreading worms, and have  designed countermeasures strategies based primarily on rate  detection and limiting algorithms. For example, Zou, et al.,  [2], proposed a scheme where a Kalman filter is used to   detect the early propagation of a worm. Other researchers  have proposed the use of detectors where rates of   Destination Unreachable messages are monitored by firewalls, and  a significant increase beyond normal, alerts the   organization to the potential presence of a worm. However, such  strategies suffer from the fighting the last War syndrome.  That is, systems are being designed and developed to   effectively contain worms whose behaviors are similar to that of  Slammer.  In the work described here, we put forth the   hypothesis that next generation worms will be different, and   therefore such techniques may have some significant limitations.  Specifically, we propose to study a new generation of worms  called Swarm Worms, whose behavior is predicated on the  concept of emergent intelligence. The concept of emergent  intelligence was first studied in association with biological  systems. In such studies, early researchers discovered a   variety of interesting insect or animal behaviors in the wild.  A flock of birds sweeps across the sky. A group of ants  forages for food. A school of fish swims, turns, flees   together away from a predator, ands so forth. In general, this  kind of aggregate motion has been called swarm   behavior. Biologists, and computer scientists in the field of   artificial intelligence have studied such biological swarms, and  323  attempted to create models that explain how the elements  of a swarm interact, achieve goals, and evolve. Moreover, in  recent years the study of swarm intelligence has become  increasingly important in the fields of robotics, the design  of Mobile ad-hoc Networks (MANETS), the design of   Intrusion Detection Systems, the study of traffic patterns in  transportation systems, in military applications, and other  areas, see [3].  The basic concepts that have been developed over the last  decade to explain swarms, and swarm behavior include  four basic components. These are:  1. Simplicity of logic & actions: A swarm is composed of  N agents whose intelligence is limited. Agents in the  swarm use simple local rules to govern their actions.  Some models called this primitive actions or behaviors;  2. Local Communication Mechanisms: Agents interact  with other members in the swarm via simple local  communication mechanisms. For example, a bird in a  flock senses the position of adjacent bird and applies  a simple rule of avoidance and follow.  3. Distributed control: Autonomous agents interact with  their environment, which probably consists of other  agents, but act relatively independently from all other  agents. There is no central command or leader, and  certainly there is no global plan.  4. Emergent Intelligence: Aggregate behavior of   autonomous agents results in complex intelligent   behaviors; including self-organization.  In order to understand fully the behavior of such swarms  it is necessary to construct a model that explains the   behavior of what we will call generic worms. This model, which  extends the work by Weaver [5] is presented here in section 2.  In addition, we intend to extend said model in such a way  that it clearly explains the behaviors of this new class of  potentially dangerous worms called Swarm Worms. Swarm  Worms behave very much like biological swarms and exhibit  a high degree of learning, communication, and distributed  intelligence. Such Swarm Worms are potentially more   harmful than their similar generic counterparts. Specifically, the  first instance, to our knowledge, of such a learning worm was  created, called ZachiK. ZachiK is a simple password   cracking swarm worm that incorporates different learning and  information sharing strategies. Such a swarm worm was   deployed in both a local area network of thirty-(30) hosts, as  well as simulated in a 10,000 node topology. Preliminary  results showed that such worms are capable of   compromising hosts at rates up to two orders of magnitude faster than  their generic counterpart. The rest of this manuscript is  structure as follows. In section 2 an abstract model of both  generic worms as well as swarm worms is presented. This  model is used in section 2.6 to described the first instance  of a swarm worm, ZachiK. In section 4, preliminary results  via both empirical measurements as well as simulation is  presented. Finally, in section 5 our conclusions and insights  into future work are presented.  2. WORM MODELING  In order to study the behavior of swarm worms in general,  it is necessary to create a model that realistically reflects  the structure of worms and it is not necessarily tied to a  specific instance. In this section, we described such a model  where a general worm is describe as having four-(4) basic  components or subfunctions. By definition, a worm is a   selfcontained, self propagating program. Thus, in simple terms,  it has two main functions: that which propagates and that  which does other things. We propose that there is a third  broad functionality of a worm, that of self-preservation. We  also propose that the other functionality of a worm may  be more appropriately categorized as Goal-Based Actions  (GBA), as whatever functionality included in a worm will  naturally be dependent on whatever goals (and subgoals)  the author has.  The work presented by Weaver et. al. in [5] provides  us with mainly an action and technique based taxonomy of  computer worms, which we utilize and further extend here.  2.1 Propagation  The propagation function itself may be broken down into  three actions: acquire target, send scan, and infect target.  Acquiring the target simply means picking a host to attack  next. Sending a scan involves checking to see if that host is  receptive to an infection attempt, since IP-space is sparsely  populated. This may involve a simple ping to check if the  host is alive or a full out vulnerability assessment. Infecting  the target is the actual method used to send the worm code  to the new host. In algorithm form:  propagate() {  host := acquire_target()  success := send_scan(host)  if( success ) then  infect(host)  endif  }  In the case of a simple worm which does not first check to  see if the host is available or susceptible (such as Slammer),  the scan method is dropped:  propagate() {  host := acquire_target()  infect(host)  }  Each of these actions may have an associated cost to its  inclusion and execution, such as increased worm size and  CPU or network load. Depending on the authors needs or  requirements, these become limiting factors in what may be  included in the worm"s actions. This is discussed further  after expanding upon these actions below.  2.2 Target Acquisition:  The Target Acquisition phase of our worm algorithm is  built directly off of the Target Discovery section in [5]. Weaver  et. al. taxonomize this task into 5 separate categories. Here,  we further extend their work through parameterization.  Scanning: Scanning may be considered an equation-based  method for choosing a host. Any type of equation may be  used to arrive at an IP address, but there are three main  types seen thus far: sequential, random, and local   preference. Sequential scanning is exactly as it sounds: start at  an IP address and increment through all the IP space. This  could carry with it the options of which IP to start with (user  chosen value, random, or based on IP of infected host) and  324  how many times to increment (continuous, chosen value, or  subnet-based). Random scanning is completely at random  (depending on the chosen PRNG method and its seed value).  Local preference scanning is a variance of either Sequential  or Random, whereby it has a greater probability of   choosing a local IP address over a remote one (for example, the  traditional 80/20 split).  Pre-generated Target Lists: Pre-generated Target Lists,  or so called hit-lists, could include the options for   percentage of total population and percentage wrong, or just   number of IPs to include. Implicit to this type is the fact that the  list is divided among a parent and its children, avoiding the  problem of every instance hitting the exact same machines.  Externally Generated Target Lists: Externally   generated target lists depend on one or more external sources  that can be queried for host data. This will involve either  servers that are normally publicly available, such as gaming  meta-servers, or ones explicitly setup by the worm or worm  author. The normally available meta-servers could have   parameters for rates of change, such as many popping up at  night or leaving in the morning. Each server could also have  a maximum queries/second that it would be able to handle.  The worm would also need a way of finding these servers,  either hard-coded or through scanning.  Internal Target Lists: Internal Target Lists are highly  dependent on the infected host. This method could   parameterize the choice of how much info is on the host, such as all  machines in subnet, all windows boxes in subnet,   particular servers, number of internal/external, or some   combination.  Passive: Passive methods are determined by normal  interactions between hosts. Parameters may include a rate  of interaction with particular machines, internal/external  rate of interaction, or subnet-based rate of interaction.  Any of these methods may also be combined to produce  different types of target acquisition strategies. For example,  the a worm may begin with an initial hit-list of 100 different  hosts or subnets. Once it has exhausted its search using the  hit-list, it may then proceed to perform random scanning  with a 50% local bias.  It is important to note, however, that the resource   consumption of each method is not the same. Different methods  may require the worm to be large, such as the extra bytes   required by a hit-list, or to take more processing time, such as  by searching the host for addresses of other vulnerable hosts.  Further research and analysis should be performed in this  area to determine associated costs for using each method.  The costs could then be used in determining design   tradeoffs that worm authors engage at. For example, hit lists  provide a high rate of infection, but at a high cost of worm  payload size.  2.2.1 Sending a Scan  The send scan function tests to see if the host is available  for infection. This can be as simple as checking if the host  is up on the network or as complex as checking if the host is  vulnerable to the exploit which will be used. The sending of  a scan before attempted infection can increase‘ the scanning  rate if the cost for failing an infection is greater than the  cost of failing a scan or sending a scan plus infection; and  failures are more frequent than successes. One important  parameter to this would be the choice of transport protocol  (TCP/UDP) or just simply the time for one successful scan  and time for one failed scan. Also, whether or not it tests  for the host to be up or if it is a full test for the vulnerability  (or for multiple vulnerabilities).  2.2.2 Infection Vector (IV)  The particular infection vector used to access the remote  host is mainly dependent on the particular vulnerability   chosen to exploit. In a non-specific sense, it is dependent on the  transport protocol chosen to use and the message size to be  sent. Section 3 of [5] also proposes three particular classes  of IV: Self-carried, second channel, and embedded.  2.3 Self Preservation  The Self Preservation actions of a worm may take many  forms. In the wild, worms have been observed to disable  anti-virus software or prevent sending itself to certain   antivirusknown addresses. They have also been seen to attempt   disabling of other worms which may be contending for the same  system. We also believe that a time-based throttled   scanning may help the worm to slip under the radar. We also  propose a decoy method, whereby a worm will release a few  children that cause a lot of noise so that the parent is not  noticed. It has also been proposed [5] that a worm cause  damage to its host if, and only if, it is disturbed in some  way. This module could contain parameters for: probability  of success in disabling anti-virus or other software updates,  probability of being noticed and thus removed, or   hardening of the host against other worms.  2.4 Goal-Based Actions  A worm"s GBA functionality depends on the author"s goal  list. The Payloads section of [5] provides some useful   suggestions for such a module. The opening of a back-door can  make the host susceptible to more attacks. This would   involve a probability of the back-door being used and any   associated traffic utilization. It could also provide a list of other  worms this host is now susceptible to or a list of   vulnerabilities this host now has. Spam relays and HTTP-Proxies of  course have an associated bandwidth consumption or traffic  pattern. Internet DoS attacks would have a set time of   activation, a target, and a traffic pattern. Data damage would  have an associated probability that the host dies because of  the damage.  In Figure 1, this general model of a worm is summarized.  Please note that in this model there is no learning, no, or  very little, sharing of information between worm instances,  and certainly no coordination of actions. In the next   section we expand the model to include such mechanisms, and  hence, arrive at the general model of a swarm worm.  2.5 Swarms - General Model  As described in section 1, the basic characteristics that  distinguished swarm behavior from simply what appears to  be collective coordinated behaviors are four basic attributes.  These are:  1. Simplicity of logic & actions;  2. Local Communication Mechanisms;  3. Distributed control; and  4. Emergent Intelligence, including self-organization.  325  Structure Function/Example  Infection, Infection Vector Executable is run  Protection & Stealthiness Disable McAfee  (Staying Alive)  Propagation Send email  to everyone in  address book  Goal Based Action (GBA) DDoS www.sco.com  Everything else, often  called payload  Figure 1: General Worm Model  In this work we aggregate all of these attributes under  the general title of Learning, Communication, and   Distributed Control. The presence of these attributes   distinguishes swarm worms from otherwise regular worms, or other  types of malware such as Zombies. In figure ??, the generic  model of a worm is expanded to included these set of actions.  Within this context then, a worm like Slammer cannot be  categorized as a swarm worm due to the fact that new   instances of the worm do not coordinate their actions or share  information. On the other hand, Zombies and many other  forms of DDoS, which at first glance may be consider swarm  worms are not. This is simply due to fact that in the case  of Zombies, control is not distributed but rather centralized,  and no emergent behaviors arise. The latter, the potential  emergence of intelligence or new behaviors is what makes  swarm worms so potentially dangerous. Finally, when one  considers the majority of recent disruptions to the   Internet Infrastructure, and in light of our description of swarm  attacks, then said disruptions can be easily categorized as  precursors to truly swarm behavior. Specifically,  • DDOS - Large number of compromised hosts send   useless packets requiring processing (Stacheldraht, http :  //www.cert.org/ incidentnotes/IN − 99 − 04.html).  DDoS attacks are the early precursors to Swarm   Attacks due to the large number of agents involved.  • Code Red CrV1, Code Red II, Nimbda - Exhibit early  notions of swarm attacks, including a backdoor   communication channel.  • Staniford & Paxson in How to Own the Internet in  Your Spare Time? explore modifications to CrV1,  Code Red I, II with a swarm like type of   behavior. For example, they speculate on new worms which  employ direct worm-to-worm communication, and   employ programmable updates. For example the Warhol  worm, and Permutation-Scanning (self coordinating)  worms.  2.6 Swarm Worm: the details  In considering the creation of what we believed to be the  first Swarm Worm in existence, we wanted to adhere as  close as possible to the general model presented in section  ?? while at the same time facilitating large scale analysis,  both empirical and through simulations, of the behavior of  the swarm. For this reason, we selected as the first instance  Structure Function/Example  Infection, Infection Vector Executable is run  Protection & Stealthiness Disable McAfee  (Staying Alive)  Propagation Send email  to everyone in  address book  Learning, Communication, Pheromones/Flags (Test  and Distributed Control if Worm is already present)  Time bombs, Learning  Algorithms, IRC channel  Goal Based Action (GBA) DDoS www.sco.com  Everything else, often  called payload  Figure 2: General Model of a Swarm Worm  of the swarm a simple password cracking worm. The   objective of this worm simply is to infect a host by sequentially  attempting to login into the host using well known   passwords (dictionary attack), passwords that have been   discovered previously by any member of the swarm, and random  passwords. Once, a host is infected, the worm will create  communication channels with both its known neighbors  at that time, as well as with any offsprings that it   successfully generates. In this context a successful generation of an  offspring means simply infecting a new host and replicating  an exact copy of itself in such a host. We call this swarm  worm the ZachiK worm in honor of one of its creators. As  it can be seen from this description, the ZachiK worm   exhibits all of the elements described before. In the following  sections, we described in detail each one of the elements of  the ZachiK worm.  2.7 Infection Vector  The infection vector used for ZachiK worm is the secure  shell protocol SSH. A modified client which is capable of   receiving passwords from the command line was written, and  integrated with a script that supplies it with various   passwords: known and random. When a password is found for  an appropriate target, the infection process begins. After  the root password of a host is discovered, the worm infects  the target host and replicates itself. The worm creates a  new directory in the target host, copies the modified ssh  client, the script, the communications servers, and the   updated versions of data files (list of known passwords and a  list of current neighbors). It then runs the modified script  on the newly infected hosts, which spawns the   communications server, notifies the neighbors and starts looking for  new targets.  It could be argued, correctly, that the ZachiK worm can be  easily defeated by current countermeasure techniques present  on most systems today, such as disallowing direct root logins  from the network. Within this context ZachiK can quickly  be discarded as very simple and harmless worm that does  not require further study. However, the reader should   consider the following:  1. ZachiK can be easily modified to include a variety of   infection vectors. For example, it could be programmed  to guess common user names and their passwords; gain  326  access to a system, then guess the root password or use  other well know vulnerabilities to gain root privileges;  2. ZachiK is a proof of concept worm. The importance  of ZachiK is that it incorporates all of the behaviors of  a swarm worm including, but not restricted to,   distributed control, communication amongst agents, and  learning;  3. ZachiK is composed of a large collection of agents   operating independently which lends itself naturally to  parallel algorithms such as a parallel search of the  IPV4 address space. Within this context, SLAMMER,  does incorporate a parallel search capability of   potentially susceptible addresses. However, unlike ZachiK,  the knowledge discovered by the search is never shared  amongst the agents.  For this reasons, and many others, one should not discard  the potential of this new class of worms but rather embrace  its study.  2.8 Self-Preservation  In the case of ZachiK worm, the main self-preservation  techniques used are simply keeping the payload small. In  this context, this simply means restricting the number of  passwords that an offspring inherits, masquerading worm  messages as common http requests, and restricting the   number of neighbors to a maximum of five-(5).  2.9 Propagation  Choosing the next target(s) in an efficient matter requires  thought. In the past, known and proposed worms, see [5],  have applied propagation techniques that varied. These   include: strictly random selection of a potential vulnerable  host; target lists of vulnerable hosts; locally biased random  selection (select a host target at random from a local   subnet); and a combination of some or all of the above. In  our test and simulation environments, we will apply a   combination of locally biased and totally random selection of  potential vulnerable hosts. However, due to the fact that  the ZachiK worm is a swarm worm, address discovery (that  is when non-existent addresses are discovered) information  will be shared amongst members of the swarm.  The infection and propagation threads do the following  set of activities repeatedly:  • Choose an address  • Check the validity of the address  • Choose a set of passwords  • Try infecting the selected host with this set of   passwords  As described earlier, choosing an address makes use of a  combination of random selection, local bias, and target lists.  Specifically, to choose an address, the instance may either:  • Generate a new random address  • Generate an address on the local network  • Pick an address from a handoff list  The choice is made randomly among these options, and can  be varied to test the dependency of propagation on   particular choices. Password are either chosen from the list of  known passwords or newly generated. When an infection of  a valid address fails, it is added to a list of handoffs, which  is sent to the neighbors to try to work on.  2.10 Learning, CommunicationandDistributed  Control  2.10.1 Communication  The concept of a swarm is based on transfer of   information amongst neighbors, which relay their new incoming  messages to their neighbors, and so on until every worm   instance in the swarm is aware of these messages. There are  two classes of messages: data or information messages and  commands. The command messages are meant for an   external user (a.k.a., hackers and/or crackers) to control the  actions of the instances, and are currently not implemented.  The information messages are currently of three kinds: new  member, passwords and exploitable addresses (handoffs).  The new member messages are messages that a new instance  sends to the neighbors on its (short) list of initial neighbors.  The neighbors then register these instances in their neighbor  list. These are messages that form the multi-connectivity of  the swarm, and without them, the topology will be a   treelike structure, where eliminating a single node would cause  the instances beneath it to be inaccessible. The passwords  messages inform instances of newly discovered passwords,  and by informing all instances, the swarm as whole collects  this information, which allows it to infect new instances  more effectively. The handoffs messages inform instances  of valid addresses that could not be compromised (fail at  breaking the password for the root account). Since the   address space is rather sparse, it takes a relatively long time  (i.e. many trials) to discover a valid address. Therefore, by  handing off discovered valid addresses, the swarm is (a)   conserving energy by not re-discovering the same addresses  (b) attacking more effectively. In a way, this is a simple  instance of coordinated activity of a swarm.  2.10.2 Coordination  When a worm instance is born, it relays its existence  to all neighbors on its list. The main thread then spawns  a few infection threads, and continues to handle incoming  messages (registering neighbors, adding new passwords,   receiving addresses and relaying these messages).  2.10.3 Distributed Control  Control in the ZachiK worm is distributed in the sense  that each instance of the worm performs a set of actions   independently of every other instance while at the same time  benefiting from the learning achieve by its immediate   neighbors.  2.11 Goal Based Actions  The first instantiation of the ZachiK worm has two basic  goals. These are: (1) propagate, and (2) discover and share  with members of th swarm new root passwords.  3. EXPERIMENTAL DESIGN  In order to verify our hypothesis that Swarm Worms are  more capable, and therefore dangerous than other well known  327  worms, a network testbed was created, and a simulator,  capable of simulating large scale Internet-like topologies  (IPV4 space), was developed. The network testbed   consisted of a local area network of 30 Linux based computers.  The simulator was written in C++  . The simple swarm worm  described in section 2.6 was used to infect patient-zero, and  then the swarm worm was allowed to propagate via its own  mechanisms of propagation, distributed control, and swarm  behaviors.  In the case of a simple local area network of 30   computers, six-(6) different root passwords out of a password space  of 4 digits (10000 options) were selected. At the start of  the experiment a single known password is known, that of  patient-zero. All shared passwords are distributed randomly  across all nodes. Similarly, in the case of the simulation, a  network topology of 10,000 hosts, whose addresses were   selected randomly across the IPV4 space, was constructed.  Within that space, a total of 200 shared passwords were   selected and distributed either randomly and/or targeted to  specific network topologies subnets. For example, in one of  our simulation runs, the network topology consisted of 200  subnets each containing 50 hosts. In such a topology, shared  passwords were distributed across subnets where a varying  percentage of passwords were shared across subnets. The  percentages of shared passwords used was reflective of early  empirical studies, where up to 39.7% of common passwords  were found to be shared.  4. RESULTS  In Figure 3, the results comparing Swarm Attack behavior  versus that of a typical Malform Worm for a 30 node LAN  are presented. In this set of empirical runs, six-(6) shared  passwords were distributed at random across all nodes from  a possible of 10,000 unknown passwords. The data presented  reflects the behaviors of a total of three-(3) distinct classes  of worm or swarm worms. The class of worms presented are  as follows:  • I-NS-NL:= Generic worm, independent (I), no   learning/memoryless (NL), and no sharing of information  with neighbors or offsprings (NS);  • S-L-SP:= Swarm Worm (S), learning (L), keeps list  of learned passwords, and sharing of passwords (SP)  across nearest neighbors and offsprings; and  • S-L-SP&A:= Swarm Worm (S), learning (L), keeps list  of learned passwords, and sharing of passwords and   existent addresses (SP&A) across nearest neighbors and  offsprings.  As it is shown in Figure 3, the results validate our original  hypothesis that swarm worms are significantly more efficient  and dangerous than generic worms. In this set of   experiments, the sharing of passwords provides an order of   magnitude improvement over a memoryless random worm.   Similarly, a swarm worm that shares passwords and addresses is  approximately two orders of magnitude more efficient than  its generic counterpart.  In Figure 3, a series of discontinuities can be observed.  These discontinuities are an artifact of the small sample  space used for this experiment. Basically, as soon as a   password is broken, all nodes sharing that specific password are  infected within a few seconds. Note that it is trivial for a  swarm worm to scan and discovered a small shared password  space.  In Figure 4, the simulation results comparing Swarm   Attack Behavior versus that of a Generic Malform Worm are  presented. In this set of simulation runs, a network   topology of 10,000 hosts, whose addresses were selected randomly  across the IPV4 space, was constructed. Within that space,  a total of 200 shared passwords were selected and distributed  either randomly and/or targeted to specific network   topologies subnets. The data presented reflects the behaviors of  three-(3) distinct classes of worm or swarm worms and   two(2) different target host selection scanning strategies   (random scanning and local bias). The amount of local bias  was varied across multiple simulation runs. The results   presented are aggregate behaviors. In general the following  class of Generic Worms and Swarm Worms were simulated.  Address Scanning:  • Random:= addresses are selected at random from a  subset of the IPV4 space, namely, a 224  address space;  and  • Local Bias:= addresses are selected at random from  either a local subnet (256 addresses) or from a subset  of the IPV4 space, namely, a 224  address space. The  percentage of local bias is varied across multiple runs.  Learning, Communication & Distributed Control  • I-NL-NS: Generic worm, independent (I), no learning/  memoryless (NL), and no sharing of information with  neighbors or offsprings (NS);  • I-L-OOS: Generic worm, independent (I), learning/  memoryless (L), and one time sharing of information  with offsprings only (OOS);  • S-L-SP:= Swarm Worm (S), learning (L), keeps list  of learned passwords, and sharing of passwords (SP)  across nearest neighbors and offsprings;  • S-L-S&AOP:= Swarm Worm (S), learning (L), keeps  list of learned passwords, and sharing of addresses with  neighbors and offsprings, shares passwords one time  only (at creation) with offsprings(SA&OP);  • S-L-SP&A:= Swarm Worm (S), learning (L), keeps list  of learned passwords, and sharing of passwords and   existent addresses (SP&A) across nearest neighbors and  offsprings.  As it is shown in Figure 4, the results are consistent with  our set of empirical results. In addition, the following   observations can be made.  1. Local preference is incredibly effective.  2. Short address handoffs are more effective than long  ones. We varied the size of the list allowed in the  sharing of addresses; the overhead associated with a  long address list is detrimental to the performance of  the swarm worm, as well as to its stealthiness;  3. For the local bias case, sharing valid addresses of   susceptible host, S-L-S&AOP worm (recall, the S-L-S&AOP  swarm shares passwords, one time only, with offsprings  328  at creation time) is more effective than sharing   passwords in the case of the S-L-SP swarm. In this case,  we can think of the swarm as launching a   distributeddictionary attack: different segments of the swarm use  different passwords to try to break into susceptible   uninfected host. In the local bias mode, early in the life  of the swarm, address-sharing is more effective than  password-sharing, until most subnets are discovered.  Then the targeting of local addresses assists in   discovering the susceptible hosts, while the swarm members  need to waste time rediscovering passwords; and  4. Infecting the last 0.5% of nodes takes a very long time  in non-local bias mode. Basically, the shared password  list across subnets has been exhausted, and the swarm  reverts to simply a random discovery of password   algorithm.  Figure 3: Swarm Attack Behavior vs. Malform  Worm: Empirical Results, 30node LAN  Figure 4: Swarm Attack Behavior vs. Malform  Worm: Simulation Results  5. SUMMARY AND FUTURE WORK  In this manuscript, we have presented an abstract model,  similar in some aspects to that of Weaver [5], that helps  explain the generic nature of worms. The model presented  in section 2 was extended to incorporate a new class of   potentially dangerous worms called Swarm Worms. Swarm  Worms behave very much like biological swarms and exhibit  a high degree of learning, communication, and distributed  intelligence. Such Swarm Worms are potentially more   harmful than their generic counterparts.  In addition, the first instance, to our knowledge, of such a  learning worm was created, called ZachiK. ZachiK is a   simple password cracking swarm worm that incorporates   different learning and information sharing strategies. Such a  swarm worm was deployed in both a local area network of  thirty-(30) hosts, as well as simulated in a 10,000 node   topology. Preliminary results showed that such worms is capable  of compromising hosts a rates up to 2 orders of magnitude  faster than its generic counterpart while retaining stealth  capabilities.  This work opens up a new area of interesting problems.  Some of the most interesting and pressing problems to be  consider are as follows:  • Is it possible to apply some of learning concepts   developed over the last ten years in the areas of swarm  intelligence, agent systems, and distributed control to  the design of sophisticated swarm worms in such a way  that true emergent behavior takes place?  • Are the current techniques being developed in the   design of Intrusion Detection & CounterMeasure   Systems and Survivable systems effective against this new  class of worms?; and  • What techniques, if any, can be developed to create  defenses against swarm worms?  6. ACKNOWLEDGMENTS  This work was conducted as part of a larger effort in the  development of next generation Intrusion Detection &   CounterMeasure Systems at WSSRL. The work is conducted   under the auspices of Grant ACG-2004-06 by the Acumen   Consulting Group, Inc., Marlboro, Massachusetts.  7. REFERENCES  [1] C.C. Zou, L. Gao, W. G., and Towsley, D.  Monitoring and early warning for internet worms. In  10th ACM Conference on Computer and  Communications Security, Washington, DC (October  2003).  [2] Liu, S., and Passino, K. Swarm intelligence:  Literature overview. In Dept. of Electrical Engineering,  The Ohio State University, 2015 Neil Ave., Columbus,  OH 43210 (2000).  [3] Moore, D., Paxson, V., Savage, S., Shannon, C.,  Staniford, S., and Weaver, N. The spread of the  saphire/slammer worm. Tech. rep., A joint effort of  CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and  UC San Diego CSE, 2003.  [4] Weaver, N., Paxson, V., Staniford, S., and  Cunningham, R. A taxonomy of computer worms. In  Proceedings of the ACM Workshop on Rapid Malware  (WORM) (2003).  329