I wonder if this new virus had any origins in Microsoft Teredo. The Teredo open tunnel that allows Vista hosts behind NAT firewalls to be reachable via a bidirectional UDP tunnel from Teredo servers on the Internet is just BEGGING for exploit. Get in just one of the Teredo servers and you could have a path to nearly every Vista machine running on the Internet - including ones behind NAT firewalls. Nice, huh? Take it a step further and imagine that a single exploited Vista host on your network could then launch attacks against the existing XP and MS server OS base behind your firewall. Did that send a shiver up your IT spine? It should have.
You could take preemptive steps and do some trickey on the firewall to block outbound UDP to IPv6 ranges owned by Teredo. But most people don't, and they aren't even aware they need to. Furthermore most IDS systems are still running IPv4 only and are simply ignoring any IPv6 Teredo traffic.
Still I have no proof this is what's going on but I'd like to see how the worm gets started. Imagine doing your best corporate vigilance to keep your machines patched only to be compromised by a UDP tunnel through your NAT firewall over IPv6. What a shame that would be.
Friday, February 13, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment