A worm that attacks Linux Web servers may be preparing a peer-to-peer network for further attacks, according to anti-virus and security companies.
The worm, known as Slapper.Linux.Worm, takes advantage of a flaw in the OpenSSL module in the Apache Web server in order to spread. OpenSSL is used to establish secure connections between hosts on the Internet, and Apache is the most widely used Web server on the Internet.
Symantec`s response team says the Slapper worm infects a number of the popular Linux distributions, including RedHat, Mandrake, SuSE, Slackware and Debian, and exploits the OpenSSL flaw in most of the 1.3.X versions of Apache.
Symantec`s response team says in its advisory that the worm has "a number of peer-to-peer capabilities which allow it to communicate with other clients and participate in a distributed denial of service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002.
"The exploit further exhibits worm behaviour in that indications are that, once it is set up, it scans and attempts to propagate by infecting other vulnerable systems."
The company says it has confirmed that the Slapper worm is "in the wild and actively attacking other servers". While still early days, Symantec reports that more than 3 500 servers have been infected and the growth rate is significant enough to rate the worm`s threat as "high".
The worm scans an extensive range of network addresses looking for a target with an open port 80 - typically an HTTP port - that it can use to communicate with. When it finds one it sends a request in the form "GET / HTTP/1.1" which, because it lacks a "host" parameter, sends back an error response that typically includes details of the Apache server running.
With this information it takes advantage of the OpenSSL flaw by sending a malformed key to the server which opens a shell on the server, allowing the worm to download its code.
Anti-virus company Kaspersky Labs reports that the code the worm uses is the same code used by the Morris worm which was reported in 1988.
Most Linux organisations have issued patches against the worm and the OpenSSL flaw, and the makers of OpenSSL have released version 0.9.6e which fixes the bug. Simply hiding the server identification, however, may not be enough because postings to BugTraq, the mailing list of SecurityFocus, suggests that the worm may use the error response to decide which portion of memory to overwrite. If it doesn`t get the response it requires it assumes that its targets are running RedHat and Apache 1.3.23, which may crash the server if it overwrites the wrong area.
Share