Densely populated areas are increasingly filled with vulnerable wireless routers set up by unsophisticated users. In isolation, such routers appear to represent only a minor threat, but in aggregate, the threat can be much greater. We introduce the notion of malnets: networks of adversary-controlled wireless routers targeted to a physical geography. Similar to Internet worms such as Slammer and Code-Red, malnets are created by the recursive compromise of targeted devices. However, unlike their traditionally wired counterparts, malnet worms exploit only other routers that are within their transmission range. The malnet thus creates a parallel wireless infrastructure that is (a) completely under control of the adversary, and (b) spans a targeted physical area, creating a valuable infrastructure for a variety of virtual and physical attacks. We initially study the propagation characteristics of commercial routers and model inter-router connectivity using publicly available war-driving data. The resulting characterization is applied to well-known epidemiological models to explore the success rates and speeds of malnet creation across cities such as New York, Atlanta, and Los Angles. Finally, we use a sampling of available exploits to demonstrate the construction of multi-vector, multi-platform worms capable of targeting wireless routers. Our analysis show that an adversary can potentially deploy a malnet of over 24,000 routers in Manhattan in less than 2,h. Through this work we show that malnets are not only feasible but can be efficiently deployed. Copyright © 2009 John Wiley & Sons, Ltd.