We have implemented a proof-of-concept wildfire worm for both Windows XP and Windows Vista. This worm, dubbed Wildfire/A, has been submitted to security vendors for testing. The implementation of this worm was surprisingly straight-forward given the plethora of tools publicly available.
The WLAN API available for both Windows-Vista and -XP facilitates the process of managing AP association and scanning. Through this API, the worm is able to actively scan for open "visible" APs and, in turn, associate with them. Once associated with an AP, the worm scans the local subnet for vulnerable machines. For this particular proof-of-concept implementation we only considered push exploits, namely, the chunked-encoding vulnerability found in the Apache Web server 1.22. The worm payload is packaged as a self-extracting archive that contains the libraries required by the WLAN API as well as a copy of the actual worm. We have confirmed that the worm operates as expected in a small scale experiment with 4 APs and 15 vulnerable hosts.