I just ran across This presentation (powerpoint format–blame the Arbor Networks guys) by Jose Nazario of Arbor Networks discussing a formula for predicting “wormability” of an exploit.

wormability (n) - The potential for a vulnerability’s use as the propagation attack in an Internet worm.

According to a story at The Register, it predicted Sasser but failed to predict Witty. Still, so long as it misses, rather than producing False Positives, it could be an extremely valuable tool.

Taking a stance as to whether a worm could be coming is something that I get to do every time a major vulnerability comes out, so I’m extremely interested in seeing where this goes. The model isn’t perfect–nor can you expect it to be. In many regards, it’s not all that different than predicting the weather–it might be able to make a pretty good guess, but only time will tell for sure. But if it could reliably predict the Big Ones, then could add a lot of value in terms of priortization or making sure that something subtle didn’t slip under the radar.

Note: This seems to follow-up on many of the concepts originally presented in his May 2004 Paper on The Evolving Worm Ecology (pdf), so you probably want to read it, too.