0
I got asked by one of our sales people whether is it possible that a virus can spread across networks, VLANs or subnets?
I answered that virus mostly likely won't, but worms might. But when asked how, I realized that I actually don't have a solid understanding of how worms spread...
On layer 2 network, it is easy, but what about layer 3 (like spread across subnets or VLANs)? How do worms do that automatically?
m1xed0s
Posted 2014-02-20T21:24:25.890
Reputation: 87
2
It is all about how virus works. You said On layer 2 network, it is easy.
Why is it easy - imagine Level 2 network with 200 uninfected Windows computers and 1 infected Windows computer (Assume virus spreads around via port 139 and/or 445). Virus will spread around very fast if these ports are open (they are open by default).
So, what happens here? Infected machine is able to communicate to all computers in the subnet and check if port 139 is open. Virus finds machine with open port 139 and after that it goes on this computer. Now two of them will do same thing with next computer until all of them will be infected.
What made it easy for virus to spread around here? Assumption (or knowing) that there are Windows computers around in the same subnet. I am not Windows guru, but I still remember there is such things as Windows Network Neighborhood - you open it and you see Windows computers in same workgroup. You just need to register your machine and all computers in the same workgroup will know about existence of your computer. So virus, probably can take advantage of this auto discovery future and just get list of computers which are around. After that virus just infects those computers.
And great number of Windows computers are vulnerable to port 139 exploit. This port is open by default and unfortunately it is very dangerous.
Now imagine two subnets. Without additional configuration computers there can not be part of same Workgroup. So, virus can not obtain list of computers on different subnet. It does not know where to go. It can not infect them without connecting to them. It is like you can not give me a box if you do not know my location.
This is first answer - In Layer 2 it is easy to guess address of neighborhood machines. (192.168.0.x, 192.168.0.x+1 ... )
Second answer - Subnets are divided by routers. Most often routers have firewalls. And most often sysadmins close unnecessary and dangerous ports on them to prevent unauthorized access and viruses spreading around.
Even if infected machine will know addresses of computers in different subnet - the firewall will not allow the virus to spread (if necessary ports are blocked).
And think of this with simple viewpoint. There is no magic involved. Virus is a computer program. In order to connect to different computer in the network these conditions should be TRUE:
In Layer two Windows network all these conditions are often TRUE by default.
VL-80
Posted 2014-02-20T21:24:25.890
Reputation: 3 867
Thanks, that indeed is helpful. Do you by any chance know a detected worm that could spread cross networks? – m1xed0s – 2014-02-21T14:03:21.357
No, at moment I am not aware of any. – VL-80 – 2014-02-21T15:12:37.977
1
A virus (like its biological counterpart) hijacks other activity (running an infected program, booting infected media) to take control (to search for other susceptible hosts, be it programs or bootable media; and finally for vandalism or other mayhem).
A worm (also like it's biological counterpart) is an independent process that looks for susceptible hosts (machines on the net in this case) to which to spread.
By its definition, a virus doesn't spread (directly) from one machine to the next. Worms spread from one machine to the next through different means, either directly by exploiting some vulnerability in the target or by tricking the user to start them.
vonbrand
Posted 2014-02-20T21:24:25.890
Reputation: 2 083
Worms do differ than other sorts of malware in that their definitive purpose is to spread. The method by which they do this can vary depending on the scope of the worm and the era it was written in. Generally, they are designed to do network scans and look at available hosts and what ports/services are open. If they spot a vulnerability they will initiate a connection, replicate and repeat. – MaQleod – 2014-02-20T21:41:01.923
To expand on what I said above, there are various scopes for worms. Some are written specifically to spread via an IM protocol, or over IRC. They are written with a specific exploit or user action in mind and use existing connections to copy themselves rather than to scan entire networks for vulnerabilities. – MaQleod – 2014-02-20T21:43:29.417
3How is this done. The number of ways this can be done could fill a 500 page book – Ramhound – 2014-02-20T22:05:26.323