Observations on the Lupper Worm

I've noticed this worm starting to hammer up against my servers lately.

Curiously, it seems to be profoundly ignorant of Name Based Virtual Servers/Hosts. Which in turn provides us with an opportunity.

The Virtual Host default web server (apache) config I run pretty much returns nothing. I've used "telnet 80; GET rubbish" too many times to identify remote systems that don't otherwise IP reverse lookup.
End result, any even possibly vulnerable applications are not running on the default virtual server. You need to know their virtual name to access them. Thus a worm that only attacks via IP address will not be able to contact the various virtual hosts configured on the system. This isn't impossible, but IMHO makes it much harder for any attacking worm to get a successful penentration.

This info may not help all of us - I certainly can't make use of it on my work systems. Too many older browsers that (probably) don't understand Name Based Virtual Hosts but it may be of some use to some of us. At least for our home servers.

I'm not familiar with IIS (~8 years ago was the last time I used IIS in anger), but suspect that some of this technique could be used in IIS based systems?

Note. This is NOT a subtle endorsement of security thru obscurity.

Reference(s):
AusCERT