- Random IP dialing
- Browser Exploit
- Control Server
- Public Services
And then there's Methods 3 and 4. Three is the usual way: Set up a Control Server to act as the worms head, locate potential vulnerable servers with it, pass their location to the client, client exploits it for you. The problem is this gives the worm a head, and when the heads chopped off the worm dies. Also for a large worm, you need a server that can handle such a huge load.
It adds a extra level of danger to persistent XSS and SQL injections. Hopefully this isn't all too difficult for developers to grasp.