Since the news of Log4shell initially broke, a few news outlets have been stoking fear about an imminent attack from a devastating worm, from the usual suspects, armed with a Log4j exploit. A month later, and we still haven’t seen it — but why? And how is it actually being used?
The attack surface that a Log4j worm would have to target is very incongruous. Systems such as web servers are easy to mass scan and Java-based web applications like Elasticsearch and VMware Horizon have already been exploited in great numbers. Scanning the entire internet for a select few vulnerable services or even blindly pray-and-spraying every found web service with a payload can be done in a day.
Writing a worm for a scannable exploit is pretty much pointless. Worms like WannaCry made use of an SMBv1 service vulnerability in Windows systems meaning that the entire network could be compromised from a single exploit. Log4j, while devastating in it’s breadth, isn’t as ubiquitous as a default Windows service and the method of exploitation for this library will vary greatly depending on its implementation.
A Log4j worm would only affect the few machines running this library and internal uses of the library would be too varied to be predictable in any meaningful way. Even the operating system would
Additionally, the skill requirement of writing a worm is much higher than scanning. Only nation-state threat actors have the skill and resources to put together an impactful worm quickly enough to be competitive with scanning and even the efficacy of this is debatable.