Defense and Detection Strategies against Internet Worms - Jose Nazario For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open systems in general, and of the Internet and the World Wide Web (WWW) in particular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce. Against this background, the field of computer security has become very broad and includes many topics of interest. The aim of this series is to publish state-of-the-art, high standard technical books on topics related to computer security. Further information about the series can be found on the WWW at the following URL: http://www.esecurity.ch/serieseditor.html Also, if you’d like to contribute to the series by writing a book about a topic related to computer security, feel free to contact either the Commissioning Editor or the Series Editor at Artech House. For a listing of recent titles in the Artech House Computer Security Series, turn to the back of this book. Contents Foreword . xvii Preface xxi Acknowledgments xxvii 1 Introduction . 1 1.1 Why worm-based intrusions? 2 1.2 The new threat model 3 1.3 A new kind of analysis requirement 4 1.4 The persistent costs of worms 5 1.5 Intentions of worm creators 6 1.6 Cycles of worm releases 7 1.6 References 8 Part I Background and Taxonomy 9 2 Worms Defined 11 2.1 A formal definition 12 2.2 The five components of a worm 12 2.3 Finding new victims: reconnaissance 14 2.4 Taking control: attack 15 2.5 Passing messages: communication 15 2.6 Taking orders: command interface 16 2.7 Knowing the network: intelligence 17 2.8 Assembly of the pieces 18 2.9 Ramen worm analysis 19 2.10 Conclusions 21 2.10 References 21 3 Worm Traffic Patterns 23 3.1 Predicted traffic patterns 23 3.1.1 Growth patterns 23 3.1.2 Traffic scan and attack patterns 25 3.2 Disruption in Internet backbone activities 26 3.2.1 Routing data 26 3.2.2 Multicast backbone 27 3.2.3 Infrastructure servers 28 3.3 Observed traffic patterns 28 3.3.1 From a large network 28 3.3.2 From a black hole monitor 30 3.3.3 From an individual host 31 3.4 Conclusions 34 3.4 References 34 4 Worm History and Taxonomy 37 4.1 The beginning 38 4.1.1 Morris worm, 1988 39 4.1.2 HI.COM VMS worm, 1988 41 4.1.3 DECNet WANK worm, 1989 42 4.1.4 Hacking kits 43 4.2 UNIX targets 44 4.2.1 ADMw0rm-v1, 1998 44 4.2.2 ADM Millennium worm, 1999 45 4.2.3 Ramen, 2000 46 4.2.4 1i0n worm, 2001 47 4.2.5 Cheese worm, 2001 48 4.2.6 sadmind/IIS worm, 2001 48 4.2.7 X.c: Telnetd worm, 2001 49 4.2.8 Adore, 2001 49 4.2.9 Apache worms, 2002 50 4.2.10 Variations on Apache worms 51 4.3 Microsoft Windows and IIS targets 53 4.3.1 mIRC Script.ini worm, 1997 53 4.3.2 Melissa, 1999 54 4.3.3 Love Letter worm, 2001 54 4.3.4 911 worm, 2001 55 4.3.5 Leaves worm, 2001 56 4.3.6 Code Red, 2001 56 4.3.7 Code Red II, 2001 58 4.3.8 Nimda, 2001 59 4.3.9 Additional e-mail worms 60 4.3.10 MSN Messenger worm, 2002 60 4.3.11 SQL Snake, 2002 61 4.3.12 Deloder, 2002–2003 62 4.3.13 Sapphire, 2003 62 4.4 Related research 63 4.4.1 Agent systems 64 4.4.2 Web spiders 64 4.5 Conclusions 65 4.5 References 65 5 Construction of a Worm . 69 5.1 Target selection 69 5.1.1 Target platform 70 5.1.2 Vulnerability selection 71 5.2 Choice of languages 72 5.2.1 Interpreted versus compiled languages 72 5.3 Scanning techniques 74 5.4 Payload delivery mechanism 75 5.5 Installation on the target host 76 5.6 Establishing the worm network 77 5.7 Additional considerations 78 5.8 Alternative designs 78 5.9 Conclusions 80 5.9 References 80 Part II Worm Trends 81 6 Infection Patterns . 83 6.1 Scanning and attack patterns 83 6.1.1 Random scanning 83 6.1.2 Random scanning using lists 85 6.1.3 Island hopping 86 6.1.4 Directed attacking 87 6.1.5 Hit-list scanning 88 6.2 Introduction mechanisms 89 6.2.1 Single point 89 6.2.2 Multiple point 90 6.2.3 Widespread introduction with a delayed trigger 90 6.3 Worm network topologies 91 6.3.1 Hierarchical tree 91 6.3.2 Centrally connected network 93 6.3.3 Shockwave Rider-type and guerilla networks 94 6.3.4 Hierarchical networks 95 6.3.5 Mesh networks 96 6.4 Target vulnerabilities 97 6.4.1 Prevalence of target 97 6.4.2 Homogeneous versus heterogeneous targets 98 6.5 Payload propagation 99 6.5.1 Direct injection 99 6.5.2 Child to parent request 100 6.5.3 Central source or sources 101 6.6 Conclusions 102 6.6 References 102 7 Targets of Attack . 103 7.1 Servers 103 7.1.1 UNIX servers 104 7.1.2 Windows servers 104 7.2 Desktops and workstations 105 7.2.1 Broadband users 105 7.2.2 Intranet systems 107 7.2.3 New client applications 107 7.3 Embedded devices 108 7.3.1 Routers and infrastructure equipment 109 7.3.2 Embedded devices 109 7.4 Conclusions 110 7.4 References 110 8 Possible Futures for Worms 113 8.1 Intelligent worms 113 8.1.1 Attacks against the intelligent worm 117 8.2 Modular and upgradable worms 118 8.2.1 Attacks against modular worms 121 8.3 Warhol and Flash worms 122 8.3.1 Attacks against the Flash worm model 125 8.4 Polymorphic traffic 126 8.5 Using Web crawlers as worms 127 8.6 Superworms and Curious Yellow 129 8.6.1 Analysis of Curious Yellow 130 8.7 Jumping executable worm 130 8.8 Conclusions 131 8.8.1 Signs of the future 132 8.8.2 A call to action 132 8.8 References 132 Part III Detection . 135 9 Traffic Analysis 137 9.1 Part overview 137 9.2 Introduction to traffic analysis 138 9.3 Traffic analysis setup 139 9.3.1 The use of simulations 141 9.4 Growth in traffic volume 142 9.4.1 Exponential growth of server hits 143 9.5 Rise in the number of scans and sweeps 143 9.5.1 Exponential rise of unique sources 145 9.5.2 Correlation analysis 147 9.5.3 Detecting scans 148 9.6 Change in traffic patterns for some hosts 148 9.7 Predicting scans by analyzing the scan engine 150 9.8 Discussion 156 9.8.1 Strengths of traffic analysis 156 9.8.2 Weaknesses of traffic analysis 156 9.9 Conclusions 158 9.10 Resources 158 9.10.1 Packet capture tools 158 9.10.2 Flow analysis tools 158 9.10 References 159 10 Honeypots and Dark (Black Hole) Network Monitors 161 10.1 Honeypots 162 10.1.1 Risks of using honeypots 163 10.1.2 The use of honeypots in worm analysis 163 10.1.3 An example honeypot deployment 164 10.2 Black hole monitoring 164 10.2.1 Setting up a network black hole 166 10.2.2 An example black hole monitor 167 10.2.3 Analyzing black hole data 167 10.3 Discussion 170 10.3.1 Strengths of honeypot monitoring 170 10.3.2 Weaknesses of honeypot monitoring 171 10.3.3 Strengths of black hole monitoring 171 10.3.4 Weaknesses of black hole monitoring 172 10.4 Conclusions 172 10.5 Resources 173 10.5.1 Honeypot resources 173 10.5.2 Black hole monitoring resources 173 10.5 References 208 11 Signature-Based Detection 175 11.1 Traditional paradigms in signature analysis 176 11.1.1 Worm signatures 177 11.2 Network signatures 177 11.2.1 Distributed intrusion detection 179 11.3 Log signatures 180 11.3.1 Logfile processing 181 11.3.2 A more versatile script 184 11.3.3 A central log server 188 11.4 File system signatures 190 11.4.1 Chkrootkit 190 11.4.2 Antivirus products 192 11.4.3 Malicious payload content 194 11.5 Analyzing the Slapper worm 195 11.6 Creating signatures for detection engines 198 11.6.1 For NIDS use 198 11.6.2 For logfile analysis 200 11.6.3 For antivirus products and file monitors 201 11.7 Analysis of signature-based detection 204 11.7.1 Strengths of signature-based detection methods 204 11.7.2 Weaknesses in signature-based detection methods 205 11.8 Conclusions 206 11.9 Resources 206 11.9.1 Logfile analysis tools 206 11.9.2 Antivirus tools 207 11.9.3 Network intrusion detection tools 207 13.6 References 208 Part IV Defenses . 209 12 Host-Based Defenses 211 12.1 Part overview 211 12.2 Host defense in depth 213 12.3 Host firewalls 213 12.4 Virus detection software 214 12.5 Partitioned privileges 216 12.6 Sandboxing of applications 219 12.7 Disabling unneeded services and features 221 12.7.1 Identifying services 221 12.7.2 Features within a service 223 12.8 Aggressively patching known holes 223 12.9 Behavior limits on hosts 225 12.10 Biologically inspired host defenses 227 12.11 Discussion 229 12.11.1 Strengths of host-based defense strategies 229 12.11.2 Weaknesses of host-based defense strategies 229 12.12 Conclusions 230 12.11 References 230 13 Firewall and Network Defenses 233 13.1 Example rules 234 13.2 Perimeter firewalls 236 13.2.1 Stopping existing worms 237 13.2.2 Preventing future worms 238 13.2.3 Inbound and outbound rules 238 13.3 Subnet firewalls 239 13.3.1 Defending against active worms 239 13.4 Reactive IDS deployments 239 13.4.1 Dynamically created rulesets 240 13.5 Discussion 242 13.5.1 Strengths of firewall defenses 242 13.5.2 Weaknesses of firewall systems 242 13.6 Conclusions 242 13.6 References 243 14 Proxy-Based Defenses . 245 14.1 Example configuration 246 14.1.1 Client configuration 248 14.2 Authentication via the proxy server 249 14.3 Mail server proxies 249 14.4 Web-based proxies 251 14.5 Discussion 253 14.5.1 Strengths of proxy-based defenses 253 14.5.2 Weaknesses of proxy-based defenses 253 14.6 Conclusions 254 14.7 Resources 254 14.7 References 254 15 Attacking the Worm Network . 257 15.1 Shutdown messages 259 15.2 “I am already infected” 260 15.3 Poison updates 261 15.4 Slowing down the spread 262 15.5 Legal implications of attacking worm nodes 263 15.6 A more professional and effective way to stop worms 264 15.7 Discussion 266 15.7.1 Strengths of attacking the worm network 266 15.7.2 Weaknesses of attacking the worm network 266 15.8 Conclusions 267 15.8 References 267 16 Conclusions . 269 16.1 A current example 269 16.2 Reacting to worms 270 16.2.1 Detection 271 16.2.2 Defenses 272 16.3 Blind spots 273 16.4 The continuing threat 273 16.4.1 Existing worms 274 16.4.2 Future worms 274 16.5 Summary 275 16.6 On-line resources 275 16.6.1 RFC availability 275 16.6.2 Educational material 275 16.6.3 Common vendor resources 275 16.6.4 Vendor-neutral sites 276 16.6 References 277 About the Author . 279 Index . 281 Foreword When I first heard about the concept of an Internet worm—long before I had my first close encounter with the network, back in the ages of its innocence—I was simply charmed—charmed and strangely attracted. It is difficult to answer why—in those days, the term did not seem to be synonymous with destruction, but with ingenuity—and something simply captivating hid behind such a broad and apparently trivial idea. Worms were a threat to be feared, but also the promise of a challenge. This promise put a sparkle into the eyes of many computer enthusiasts, people fascinated with the world of a machine—call them hackers if you wish—who, even though most of them would never admit this, walked a thin line between ambition and humility, imagination and reality, and the law and a common crime, people who would often find themselves on different sides of the barricade because of blind luck or sheer chance and not because of fundamental differences in how they perceived their world. For many, this world was the network. Those were the naive years, for me and for my colleagues. We had faced a fascinating idea that brought an expectation of a spectacular progress, a mental exercise for both those who defend the network and those who have chosen a less righteous path and we subconsciously hoped for the idea to become a reality. We both feared and admired this perspective, for we understood that it could not be undone. We waited for the inevitable to come, for the next Morris worm perhaps—an elegant, fresh, novel, and effective predator that would make us feel good, once more fighting arm to arm against the threat that had to and would be stopped. We wanted to be amazed, and wanted to win a spectacular battle with no casualties. The last thing we imagined was that worms would become just another vector of pointless and mindless destruction. Why would they? The last few years of the 1990s turned out to be a sudden and crude wakeup call. The reality turned those rusty ideals and silly dreams into empty words that I am ashamed to write. Worms turned out to be rude and primitive vandals, annoyances, and scavengers preying on the weak. Many have seen a significant regression in how those programs were developed and how the authors used the heritage of worms’ ancestors, “unplugged” viruses, which were creations with an extensive history of a constant and quite dramatic arms race. The Morris worm, even though fairly simple, seemed to be simply far more advanced and sophisticated than what came much later. The term became synonymous with bloat and malice. The most ambitious goal was to perform a denial of service attack against a wellknown target, so that the author gets his or her 5 minutes in the media. The “real” worm was nowhere to be found, and so we became frustrated with the painful predictability of the reality, and with the fact the network did not seem to be able to learn from its past mistakes, falling victim for the same almost effortless trick over and over again. It is important to educate, and I do feel it is a duty of every IT security professional to help others, often first convincing them they need to be helped, but what would I have told Jose then? I think would have advised him against writing this book, mostly because there was not much essential knowledge to add since David Ferbrache’s excellent book, which was the first book I read on this subject, and what good would there be in having a new book on the market? Today, however, partly because of Jose’s work, we are on the brink of a new era in worm development and prevention. The revolution is not coming, but we are starting to comprehend that simplicity can give a serious advantage, we are starting to learn, from some seemingly uninteresting incidents, how complex and surprising the dynamics of a worm ecosystem are and how they change because of a virtually irrelevant difference in a target selection algorithm or worm size. We are beginning to discover how to predict and analyze incidents better, and we are finally starting to use our brains to do so. Worm authors are beginning to notice that in a world that slowly but constantly obtains better defense systems and becomes more coordinated in its response against new threats, their developments must be smarter and better prepared. We are at a point where a new arms race is beginning and where we have enough data and understanding to observe the marvels of worm dynamics as they happen. For enthusiasts, the field is becoming a fascinating subject again; for professionals, the defense against worms is becoming more of a challenge and requires them to comprehend the entire world of such a creation much better. Today, I am very glad a book like this is going to be published, and I am glad Jose is the one to write it. Although our paths have crossed only recently—3 years ago—I know he is an enthusiast at heart, and simply in love with his subject of choice, and that is what makes him seek the right answer instead of just stating the obvious. His academic background lets him look at the life of a worm from a new, fresh perspective—but he is also an IT professional, speaking from an authoritative position and carefully avoiding common traps that lurk for the newcomers to the field. Although this is exactly the kind of praise a reader expects from a foreword, I strongly believe it could not get any better than having him here. The effect of his work—this book—is a first true overview of the history, techniques, trends, goals, and prospects in worm development, but also a solid dose of enlightening commentary, insight, original concepts, and predictions, always backed with a reasonable and unbiased analysis—a virtue hard to find in this complex and rapidly developing field. It is a very important contribution to this still-chaotic and fragmented field of research—and for that reason, I am truly glad that Jose gave me a chance to contribute to the book. Have a good reading. Michal Zalewski Security Researcher and Analyst Warsaw, Poland October 2003 Preface The recent security history of the Internet is plagued with worms with colorful names: Melissa, Code Red, Sapphire, Nimda, and Ramen. All of these names commonly inspire knowing looks in the faces of network and security engineers. They remember the scramble to clean up the mess and contain the damage, countless hours or even days of damage inventory and cleanup, and the hours off-line. Melissa was not the first time a worm hit the Internet, and Sapphire won’t be the last. As I was writing this book, several new worms appeared and by the time you have read it, several more new ones will have surfaced. My own experience with worms had been tangential up until early 2001. I had, of course, been curious about them, hearing reports of the Morris worm from 1988. As I was investigating several large incidents in the late 1990s, I started to see an increasing use of automation by worm creators. This ultimately to the ADMw0rm, several variants, and many other worms. Early in 2001, before Code Red and Nimda and during the spread of Ramen, I began work on a paper titled “The Future of Internet Worms” [1]. Together with Rick Wash, Chris Connelly, and Jeremy Anderson, we outlined several facets of new worms and made proposals about where worms could be headed. Most importantly, we attempted to encourage people to think about new directions in detection and defense strategies. The idea behind the paper, namely, the dissection of worms into six basic components, was more or less a “moment.” From there, the rest of it fell into place. The detection and defense strategies took the longest to develop because we wanted to do them right. That paper and its analysis forms the core of this book. Artech approached me in early 2002 to write this book and I was quite excited to do so, especially since I hadn’t seen a book on worms yet. Given the new challenges worms bring to the security professional, from the automation to the patterns of spread they use, worms need to be treated as more than close cousins of viruses. I hope this book fills a gap in Internet security discussions, and I hope it does so well. My goal was to write a book that could be used by a wide audience, particularly a more academic audience. Intended audience The book is written by an information security professional with several years of hands-on experience. The intended audience of this book is a similar set of professionals, namely: ◗ Security professionals. This book should assist in putting the rising trends of worms into perspective and provide valuable information in detection and defense techniques. While some of the material here is theoretical, much is practically oriented. ◗ Information security researchers. At the time of this writing, this is the only book focusing solely on worms. Many reviewers have lumped worms together with viruses and other malicious mobile code but have failed to discuss their differences adequately. Worms have their own kinetics and features which work both for them and against them, as described in this book. ◗ Computer scientists. Information security is quickly becoming a more widely accessible education topic. This book is intended to supplement a course in network and system security. Layout of this book This book is laid out in four major parts. The first part provides background information for the field of worms research. This includes a formal definition of worms (Chapter 2), a discussion of the traffic they generate (Chapter 3), and the history and taxonomy of worms in Chapter 4. This section concludes by examining how a worm is constructed and how its major life cycle steps are implemented (Chapter 5). The second part examines trends observed with network worms. It begins with a look at the infection patterns used by worms, including the network topologies they generate and the traffic patterns seen there (Chapter 6). The targets that worms have attacked over the years, including the likely targets of the immediate future, are discussed in Chapter 7. Last, an analysis of several papers that analyze the potential and likely futures of worms is presented in Chapter 8. The third and fourth parts are more practical and attempt to use and build on the knowledge discussed in the first two sections. Part III analyzes how to detect worms, both in their early and late stages, using a variety of mechanisms. The strengths and weaknesses of three approaches—traffic analysis (Chapter 9), honeypots and dark network monitors (Chapter 10), and signature analysis (Chapter 11)—are discussed. The last part looks at ways to defend against network worms. Four major methods are discussed including host-based defenses in Chapter 12, network firewalls and filters (Chapter 13), application layer proxies (Chapter 14), and a direct attack on the worm network itself in Chapter 15. The merits of each approach are analyzed and several examples are given for each system. Readers will notice that the bulk of the material is in the third section and covers detection of worms. This was done for several major reasons. First, the detection of a worm when compared to an attacker acting alone requires a different set of data. When a worm is active, the time remaining to defend the network is dramatically shorter than it would be with a lone attacker. The second reason for the bias of the book’s contents is the fact that the strategies for defending against any worm are similar to those for defending against any attacker. However, the defenses must be raised more quickly and can sometimes be automated. Third, detection techniques hold substantially more interest for the author, and are the focus of much of my research and work. A natural bias arises from this interest and experience, leading to greater familiarity with this aspect of network security. Assumed background It would be impossible to introduce all of the background needed to understand Internet worms in one book. An attempt would surely fail to give adequate coverage and is better explained elsewhere. Furthermore, no room would be left to explain the focus of this book—how to detect and defend against Internet worm incidents. The reader is expected to have a good grasp of operating system concepts, including processes and privileges. A knowledge of both UNIX and Windows NT systems will go a long way toward understanding this material. An understanding of TCP/IP networking is assumed, as well as an understanding of Internet scale architecture. Last, an understanding of security priciples, including vulnerabilities and how they are exploited, is required. Only working knowledge of these concepts is all that is needed, not mastery. For the interested reader, the following references are reccomended: ◗ TCP/IP_Illustrated, Vol. 1, by W. Richard Stevens. Widely regarded as an authoritative volume on the subject, though a bit dated [2]. ◗ Internetworking_with_TCP/IP, Vol. 1, by Douglas E. Comer. An excellent and highly regarded volume, also more up to date than Stevens [3]. ◗ Advanced_Programming_in_the_UNIX_Environment, W. Richard Stevens. Perhaps the single best guide to general UNIX internals [4]. ◗ Inside Microsoft Windows 2000, David A. Solomon and Mark Russinovich. A similar guide to Windows NT and 2000 internals [5]. ◗ Hacking_Exposed, 3rd ed., Stuart McClure, Joel Scambray, and George Kurtz. An excellent sweep of current security concerns and how they are exploited by an attacker [6]. ◗ Network Intrusion Detection: An Analyst’s Handbook, 2nd ed., Stephen Northcutt, Donald McLachlan, and Judy Novak. An excellent introduction to the hands-on knowledge of network-based intrusion detection [7]. ◗ Firewalls and Internet Security, William R. Cheswick and Steven M. Bellovin. A recently released second edition brings this classic up to date [8]. ◗ Interconnections, Radia Perlman. Excellent coverage of network infrastructure from principles to practice [9]. The coverage provided by these references has made them the staple of many information security professionals. Legal issues A reader who has already flipped through this book or taken a close look at the table of contents will notice little mention is made of legal actions as a fight against network worms. This legal action would be against the author of the original worm or even the owners of hosts that are infected with a worm and targeting your hosts or network. The reasons why this information is missing are quite simple. First, I am not legally qualified to give such advice. Laws in the United States, United Kingdom, and elsewhere differ substantially as to culpability for actions and negligence. Second, it is difficult to trace the worm back to an author or even to an introduction point. Even if it can be done, the evidence in computer crimes is typically tampered with, either deliberately or accidentally, and the forensic value of it is therefore significantly diminished. Effective tracking is only worsened when an amatuer attempts to perform an investigation. So far, very few books have been written on criminal and civil penalties for computer crimes. The laws in most countries are unclear in this area and are still being developed. As such, it is best to leave it to the authorities to perform such investigations. However, as a legal defense, it is typically wise to clean up and remedy any worm-compromised hosts you find on your own network, lest you become a groundbreaking legal case. Furthermore, software companies may begin facing liability lawsuits for their software flaws that lead to worms. A Korean group has filed a lawsuit against Microsoft Corporation’s Korean subsidiary, along with a Korean ISP and the country’s Information Ministry [10]. The lawsuit holds the plaintiffs responsible for the outages caused by the Sapphire worm in January 2003, which interrupted their business operations and ultimately cost them money. It is unclear as to the future this lawsuit will enjoy, but this action has been suggested before. UNIX examples Most of the examples in this book are shown on UNIX systems. This is due to my everyday use of UNIX, as well as to the plethora of tools available for analyzing networks on UNIX systems. With the advent of Windows NT and 2000, many more tools became available for those platforms. Additionally, the Cygwin POSIX environment added a UNIX-like command line. There is no longer a limitation to running many of the commands and much of the analysis shown here. These tools include the Korn shell, Perl, and Awk languages used in data analysis, tcpdump and other packet capture tools, and various packet creation libraries. Also, some of the data are from live networks and real IP addresses are sometimes shown. Lastly, several commercial tools are shown as examples of utility and data. This is not meant to endorse any of the tools in the book. They were used as they illustrated the situation and were available on hand. People wishing to make purchases of such tools are encouraged to review the literature and obtain demonstration copies of the software. Acknowledgments Writing is hard work, and it takes a cast of many to pull it off. I am, of course, grateful to my colleagues at Crimelabs Research. In particular, in 2001, I worked with Jeremy Anderson, Rick Wash and Chris Connelly on a paper titled “The Future of Internet Worms,” much of which is reused here. I am indebted to them for their assistance and lively discussions and most importantly, for their contributions to that paper and to this book. The kind folks at the Blackhat Briefings were gracious enough to allow someone relatively unknown like myself to take the stage and make a presentation, and that certainly made a difference in this book coming to life. While writing this book, I listened to a lot of music and drank a lot of coffee. While I don’t like to sit and listen to trance music, it does help me work. And for what it’s worth, I drank a lot of Kona blend while writing. With a little assistance, you’d be surprised at what you can accomplish in a weekend. My employer, Arbor Networks, and many of my coworkers deserve a big hearty thank you. They include Michael Bailey, Robert Stone, and Robert Malan. Furthermore, I express my sincere appreciation to those who have helped to contribute to the data in this book. These people include Dug Song, Niels Provos, Michal Zalewski, and Vern Paxson. I cite them where appropriate in the text, and thank them here for their ideas and discussions with me. A big, hearty, and earnest thank you needs to go to the following people and groups: CERT, eEye, Incidents.org, the guys at Renesys, the people at Triumf.ca, and people on the incidents list at SecurityFocus. Bruce Ediger enthusiastically sent me a great writeup of the WANK and OILZ worms reproduced from a LLNL paper from 1991. Hordes of people sent worm data to a stranger (me!) to analyze. This list includes the gang at digitaloffense.net, Henry Sieff, Domas Mituzas, KF, James P. Kinney III, Todd Fries, and some of the folks at securityfocus.com. Others include Vern Paxson, Andrew Daviel, and Ivan Arce. I am very grateful to them for their data. Not all of it appears here, but it was useful in the building of this book. Thank you. I begged, borrowed, and gathered equipment to construct “wormnet” for data analysis from the following people: Paul Schneider, Matt Smart, John Poland, and Beth Platt. Aidan Dysart helped show me how to prepare some much better looking figures, and Bill Merrill prepared some improved figures for me in a short time frame. Gigantic thanks go to the following people for reviews of the manuscript as it was being prepared: Tom Flavel, Seth Arnold, Michal Zalewski, Jennifer Burchill, Duncan Lowne, and Stephen Friedl. Jennifer went through the manuscript with a fine-tooth comb and really improved my very rough draft. Stephen assisted with some of the technical issues in the manuscript, and Michal offered deep technical and grammatical insight that I value greatly. Lastly, and most importantly, I must acknowledge Beth and her support. You make my life a joy and a pleasure; thanks for the understanding during the preparation of this manuscript.