Internet worm infection continues to be one of top security threats.
Moreover, worm infection has been widely used by botnets to recruit new bots
and construct P2P-based botnets. In this work, we attempt to characterize the
network structure of Internet worm infection and shed light on the micro-level
information of "who infects whom." Our work quantifies the infection ability of
individual hosts and reveals the key characteristics of the underlying
topologies formed by worm infection, i.e., the number of children and the
generation of the Internet worm infection family tree. Specifically, we first
analyze the infection tree of a wide class of worms, for which a new victim is
compromised by each existing infected host with equal probability. We find that
the number of children has asymptotically a geometric distribution with
parameter 0.5. We also discover that the generation follows closely a Poisson
distribution and the average path length of the worm infection family tree
increases approximately logarithmically with the total number of infected
hosts. Using the Code Red v2 worm as an example, we then apply simulations to
verify the analytical results. Next, we empirically study the infection
structure of localized-scanning worms and surprisingly find that most previous
observations also apply to localized-scanning worms. Finally, we apply our
findings to develop bot detection methods and study potential countermeasures
by future botnets.