Re: management interface accessability (was Re: Worm / UDP1434)

[Iljitsch van Beijnum <iljitsch () muada com>]

On Sun, 26 Jan 2003, Chris Lloyd wrote:

> > Just a point here:  Many road warriors are work-at-home folks who have
> > their computers on 24x7.  They may be infected, and will fire up their
> > VPN tunnels Monday morning.  This may introduce the worm into the chewy
> > center of many corporate networks.  Hopefully folks have put the proper
> > filters in place on their VPN access points.

> Personally, I think it's unlikely the situation will get worse on Monday
> because of people starting work. The first reason is that you can only get
> infected if you're running SQL server (or MSDE) at home and someone sends you
> one of the special packets. The second reason is that you, if you're infected,
> send the packets to random IP addresses, and not only do you have to randomly
> choose an address on the corporate LAN, but it has to be a machine running
> SQL server. To my mind the probability of all these things being the case
> is microscopic!

The worm prefers addresses "close to home" and sends out tens of
thousands of packets per second. Depending on the preference for local
addresses a single infected host could infect an entire /16 in a few
seconds, and a /8 in less than an hour. The entire internet takes less
than a week if the random address generator doesn't re-hit the same
addresses.

One interesting aspect of this worm is that it seems capable of passing
through all kinds of barriers. After two infected machines were cleaned
up and filters were in place, I still saw one or two copies of the worm
coming in addressed to the subnet broadcast addresses on interfaces
facing the local network. Finding out how exactly the worm (ab)used
broadcast and multicast addresses is going to be fertile ground for
research.