It is all about how virus works. You said On layer 2 network, it is easy
.
Why is it easy - imagine Level 2 network with 200 uninfected Windows computers and 1 infected Windows computer (Assume virus spreads around via port 139 and/or 445). Virus will spread around very fast if these ports are open (they are open by default).
So, what happens here? Infected machine is able to communicate to all computers in the subnet and check if port 139 is open. Virus finds machine with open port 139 and after that it goes on this computer. Now two of them will do same thing with next computer until all of them will be infected.
What made it easy for virus to spread around here? Assumption (or knowing) that there are Windows computers around in the same subnet. I am not Windows guru, but I still remember there is such things as Windows Network Neighborhood - you open it and you see Windows computers in same workgroup. You just need to register your machine and all computers in the same workgroup will know about existence of your computer. So virus, probably can take advantage of this auto discovery future and just get list of computers which are around. After that virus just infects those computers.
And great number of Windows computers are vulnerable to port 139 exploit. This port is open by default and unfortunately it is very dangerous.
Now imagine two subnets. Without additional configuration computers there can not be part of same Workgroup. So, virus can not obtain list of computers on different subnet. It does not know where to go. It can not infect them without connecting to them. It is like you can not give me a box if you do not know my location.
This is first answer - In Layer 2 it is easy to guess address of neighborhood machines. (192.168.0.x, 192.168.0.x+1 ... )
Second answer - Subnets are divided by routers. Most often routers have firewalls. And most often sysadmins close unnecessary and dangerous ports on them to prevent unauthorized access and viruses spreading around.
Even if infected machine will know addresses of computers in different subnet - the firewall will not allow the virus to spread (if necessary ports are blocked).
And think of this with simple viewpoint. There is no magic involved. Virus is a computer program. In order to connect to different computer in the network these conditions should be TRUE:
- Program knows IP address of destination
- Program knows network port of destination
- Network communication is possible between Origin and Destination
In Layer two Windows network all these conditions are often TRUE by default.
Worms do differ than other sorts of malware in that their definitive purpose is to spread. The method by which they do this can vary depending on the scope of the worm and the era it was written in. Generally, they are designed to do network scans and look at available hosts and what ports/services are open. If they spot a vulnerability they will initiate a connection, replicate and repeat. – MaQleod – 2014-02-20T21:41:01.923
To expand on what I said above, there are various scopes for worms. Some are written specifically to spread via an IM protocol, or over IRC. They are written with a specific exploit or user action in mind and use existing connections to copy themselves rather than to scan entire networks for vulnerabilities. – MaQleod – 2014-02-20T21:43:29.417
3How is this done. The number of ways this can be done could fill a 500 page book – Ramhound – 2014-02-20T22:05:26.323