A recent article about the SoBig.F virus in the Economist magazine mentioned the idea of a so-called “Warhol Worm”. I’d never heard this term before, so I went looking for the original use. Nicholas Weaver of UCB turns out to have coined this term to denote a worm that could infect every potential host in 15 minutes. This is of course a reference to Andy Warhol’s quip that “In the future, everybody will have 15 minutes of fame”.
If you read Weaver’s article, though, you’ll see that the important thing isn’t how long a worm is famous for. Instead, he postulates (among other mechanisms) an author who quietly scans the internet for a particular vulnerability for some time, perhaps weeks or months, in order to build a list of susceptible machines. When the worm is released, these machines are used as the initial attack set. Combining a “hitlist” of 10,000 to 50,000 machines with other techniques, the result would be very fast infection of all potential machines, certainly far faster than security software vendors could possibly respond.
SoBig.F wasn’t a Warhol Worm, and I don’t know that we’ve seen one yet. The
possibility that someone might use this “hitlist scanning” technique is just
another reason to keep up to date with all those security patches, even for
vulnerabilities for which no exploit is yet known.