wiredfool

Those of you with windows machines, or who know people with windows machines have probably already heard of this one. Even slashdot knew of the vulnerability a couple of weeks ago when the patch came out. There was a rustling and murmuring that this could be bad, since it takes no user action to spread.

But it’s not as bad as it could be. I’ve only seen a couple of hundred packets that might be probes for infection (as opposed to the usual bozons). It is apparently reasonably obvious that something is happening when you get infected. This slows the spread. It opens more than one port for communication that isn’t normally allowed by firewalls. (Hell, none of the ports it uses should be accessible through a firewall). It’s a tcp scan, not a udp one. There’s a whole communication loop that has to happen for each infection instead of just spewing packets into the ether.

Someday we’re going to see a worm that is:

• Udp based – with single packet infection.
• Has a vulnerable population of ~ 50%+ of the net community
• Has all the warhol worm ‘efficient search’ ideas down.
• And goes off when the net is already overloaded, such as the annual victoria’s secret fashion show.

And it’s not going to be pretty.