Posted on 09/16/2002 10:29:05 AM PDT by HAL9000
A virulent Linux worm is creating an attack network on the Internet, security clearing house CERT warned this weekend.
Slapper exploits a previously-disclosed OpenSSL vulnerability, to create an attack platform for distributed denial-of-service (DDoS) attacks against other sites. The worm also has backdoor functionality, according to, security tools vendor ISS. It describes the malicious code as a variation of the much less virulent Apache "Scalper" BSD worm.
The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.
The Slapper worm was first seen on Friday the 13th. Since then it has infected thousands of web servers around the world and continues to spread. By late last night
6,000 servers were infected with the worm, according to AV vendors F-Secure.
The worm scans for potentially vulnerable systems on 80/tcp using an invalid HTTP GET request (GET /mod_ssl:error:HTTP-request HTTP/1.0).
When an Apache system is detected, it attempts to send exploit code to the SSL service via 443/tcp. If successful, a copy of the malicious source code is then placed on the victim server, where the attacking system tries to compile and run it. Once infected, the victim server begins scanning for additional hosts to continue the worm's propagation.
During the infection process, the attacking host instructs the newly infected victim to initiate traffic on 2002/udp back to the attacker. Once this communications channel has been established, the infected system becomes part of the worm's DDoS network.
For this reason blocking port 2002/UDP at enterprise firewalls may be a good idea.
While the Windows-affecting Nimda nor Code Red worms attacked nearby subnets indiscriminately, Slapper creates a peer-to-peer network that an attacker can harness for attacks. This troubling development sets Slapper apart from other worms.
Binary and source code versions of the worm are available and are being actively circulated - and access to the source code might lead to the development of more powerful variants.
The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade to the latest version as of this writing the latest version of OpenSSL is 0.9.6g.
Users should also update their AV software to detect the worm. ®
Apache/Linux is not the problem here. The problem (again) is lack of effort on the part of sysadmins. This is usually true regardless of the OS you are running.
However, I'll let someone else descend into the muck about assigning blame for the fact that the hole exists in the first place ;)
http://rhn.redhat.com/errata/RHSA-2002-155.html
http://www.debian.org/security/2002/dsa-136
Anyone want to explain this one to me? Does this mean the attacking system has to use a shell via access like telnet, rsh, etc?
No, worms are by definition automated programs that spread themselves without someone directing it. Telnet and rsh are almost universally denied these days for most places, so I doubt this is how it spreads.
The article is a bit unclear. I guess that the author probably doesn't understand what is going on. How often does the press get details right on firearms? This reads like semi-automatic revolver.
I have not seen a write-up of this particular worm, but when the article says "the attacking system tries to compile and run it" they really mean that the malicious code is already running on the system, but it is not the "full" worm yet. The infamous Morris Worm in the mid-80s worked the same way. Once the worm code was running on the victim computer, it would actually download the rest of itself, compile it, run it, and delete the evidence.
The reason the worm has to compile itself is because the amount of malicious code you can send with a buffer overflow is not very large. Big enough to run a small script, but for anything sophisticated the worm is broken into parts. The first part is what smashes the stack on the victims CPU and installs itself and then runs. The second part finishes the job by hiding its presence and looking for other vunderable computers.
Okay. This worm appeared on September 13, but the patch has been available since July 30. The vulnerability to this worm was avoidable with a little due diligence by the system administrator.
By comparison, a recent massive security hole in Windows XP that deletes files when the user merely views a web page containing a malicious URL was known to Microsoft for 11 weeks before they released a fix. Not only is Microsoft assigned the blame for the fact that the gaping hole exists in the first place, they also didn't inform customers of the risk or fix it for nearly 3 months. This is SOP for Microsoft customer support, which is why I avoid their low-quality crap products.
Have you installed SP1 yet? If not, perhaps you can volunteer for an experiment?
If you've already installed SP1, one of your customers who has not will do.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.