Posted on 10/04/2002 2:44:47 PM PDT by Bush2000
Virus writers get Slapper happy
Internet vandals have continued to modify the recent Slapper worm and have sent at least four new variants of the hostile Linux program into the electronic wilds. The newest variant, dubbed "Mighty," exploits the same Linux Web server flaw that other versions of the Slapper worm have used to slice through the security on vulnerable servers.
Russian antivirus company Kaspersky Labs said in a release Friday that more than 1,600 servers had been infected by this latest variant as of Friday morning and are now controlled by the worm via special channels on the Internet relay chat system.
"In this way, 'Mighty' is able to leak out confidential information, corrupt important data, and also use infected machines to conduct distributed (denial of service) attacks and other nasty activities," Kaspersky Labs said in the advisory.
Because the worm deposits its source code on any system that it infects, security researchers expect more modified versions of the virus to appear.
"People are doing a lot of variants," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security. "No one has found any good way to handle these worms."
As long as there are servers whose administrators don't care enough or don't know enough to patch the security holes, such worms will continue to spread, Maiffret said.
Since Code Red infected more than 350,000 servers last summer, computer worms have become the No. 1 perceived danger on the Internet. The self-replicating programs exploit security vulnerabilities to break into computers, then use those systems to infect other servers around the Internet.
While the worst attacks--Code Red and Nimda--have been against Microsoft's Web server, Linux servers have been compromised by worms in several moderate incidents, starting with the Ramen worm and moving on to the latest Slapper worm.
The Slapper worm infected as many as 20,000 servers before system administrator began installing patches and cleaning compromised systems, putting the program on the endangered species list.
A variant by any other name...
"Mighty" may be the fifth variant of Slapper to hit the Internet since the original worm was released last week. However, because of the different naming conventions used by security companies, the worm may be too similar to another version, Slapper.D, to be considered a variant.
Slapper.D, also known as "DevNull," appeared on the Internet on Monday, according to security software firm Symantec. While the original Slapper worm and previous variants all created a homegrown peer-to-peer network to communicate among themselves, DevNull used a well-known hacking tool--called "Kaiten"--to let the compromised servers talk with their creator via a channel on Internet chat, said Elias Levy, security architect for Symantec.
Levy expects more variants, but he believes that the tactic of using the SSL (secure sockets layer) vulnerability to bypass security is past its prime.
"The number of infected systems has been reduced," Levy said. "Different antivirus vendors have been e-mailing the people in charge of those (infected) machines."
In some cases, Levy said, gray hat hackers in the underground have used the peer-to-peer network against itself, sending commands from one compromised server across the homegrown network to shut down other, infected computers.
Other variants of the Slapper code merely changed the port--a software address that computers use to talk to each other over the Internet--that the worm used as the communications channel for the peer-to-peer network. Slapper itself is a Linux variant of another worm, Scalper.c, which didn't get far because it only targets OpenBSD systems, a far smaller pool of computers.
In any event, Scalper is on the way out, said Roger Thompson, director of malicious-code research at security service provider TruSecure.
"We know that most people, but not everybody, are going to patch their systems," Thompson said. A few, old machines that aren't well administered will keep the worm alive for some time, but it shouldn't infect many more computers.
"I think that the Slapper things are just going to become background noise," Thompson said.
Or we could have an honest comparison of the security risks of Windows versus Unix, but that wouldn't look good for your side.
Google
Your search - slapper site:slashdot.com - did not match any documents
I think they did. ROFL
Exactly. For example --
Or we could have an honest comparison of the security risks of Windows versus Unix
When everyone who knows anything about UNIX knows it is a hackers paradise. And that when you compare security risks, MS-bashers want to do it by comparing the number of infections instead of the percentage, when we know that if all windows and all unix machines were destroyed by the same virus, such an analysis would seem to make windows appear worse than unix, simple because there are 1000 times as many win machines. And you want to compare servers to home PC's.
And so on...
While I have a huge problem with MS doing planned obsolescence and tricky marketing to ensnare developers and MSOffice customers, anyone who knows much about both UNIX and WIN knows that win servers are the flat-out safest and most stable things you can run. And the easiest to learn.
Unix has .cshrc and .login -- WINXP lets me click a button and edit my user prefs. In UNIX, I have to type something like " rm -r <foldername>" -- in windows I right-click and select delete, or select the folder and hit the delete button. In windows, these and other actions are optimized from the button directly to the machine code -- in linux and any other "user friendly"</sarcasm> versions of Unix, there is always a pipe, the GUI is a program that sends sysex and other such commands to a command interpreter. Or even worse -- they are written in JAVA, so you get some more pipes on the way to the built in pipe.
Here's one for all of you good-hearted Unix lovers:
You probably know how to mount a drive from another Unix machine on your network. Do you have root permission on your machine? If you do, you have root permission on any drive you mount. How's that for secure?
And hacking? Linux is the only system I know of that can broadcast false a false IP with a TCP query. No wonder Windows gets all the DoS attacks: the people who actually do these attacks all use Linux to do it!
Take your "altruistic" attitude and develop something half as good as windows, and you will make millions giving it away for free. Until then, go take turns hacking eachother and memorizing man pages.
Because guys like you are the ones trying to hack. And Windows is what you want to hack. And you and your buddies know that.
Because MS is looking at every possible angle, while Red Hat has two stoned guys on IRC orchestrating flame wars and hoping all the hacker kidz stay focused on MS.
Because guys like you are the ones trying to hack. And Windows is what you want to hack. And you and your buddies know that.
I think you are very misinformed. Almost all DOS attacks are sent from Windows machines. Windows mangle packets the same as Linux. I was forging Wake On LAN packets in NT 4 years ago. We Linux users could care less about hacking Windows machines.
I am right now on an XP HOME machine. Not PRO, not a server, xphome. I have not had one single lock-up, not a shut down against my will, nada. zip. nothing. I leave it on for weeks at a time. I use all kinds of software, dev stuff, internet, graphics, mutitrack audio.
Never one single hang. On XP Home. The sh!tty 'home edition' has not hung once.
And I've been using Linux for 7 years and have seen a lockup once.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.