Router worm exploiting poor SNMP security.

[Lars Nygård <lars () SNART COM>]

Is it possible to write a worm for routers that 
spreading via SNMP.?  I'm guessing this is way to 
easy to do. This is based on my knowledge of Nortel 
routers, and low security awareness among people 
when it comes to routers: 
I will utilize the following weaknesses.
1. Nortel/Bay routers use by default SNMP 
community string "public" as read/write for everyone.
2. Nearby routers are often included in access lists
3. SNMP is not a secure protocol.

Let's say I write a little program, or batch script that 
starts by taking advantage of this.
- This little script takes a look at which snmp 
communities are stored in the router MIB and write 
this to a file.
- Next step is to look for other routers nearby by 
looking at my routing table, ospf neighbours etc.
- Then my script checks to see if any of the 
communities it found, are read/write on any nearby 
routers by sending a SNMP packet.
- If a read/write community is found. It uploads the list 
of known communities and itself to the nearby router. 
Then execute the script on that router.
-Then my script leave a text file saying "I was here" 
and deletes itself. (or potensially delete all files and 
schedules a boot at 1. january 2000, but that would 
be mean)

Two questions:
Can anyone tell me any reason why this can't work?

I base this upon my knowledge of Nortel routers and 
BayRS. Is there any reason why simular procedure 
can't work with Cisco?

-- Lars Nygard