Something other than good times was spreading this weekend, as the Slapper
worm, which was first seen in the wild last Friday, has now propagated to
over 100 countries worldwide.
Slapper is a network worm that spreads on Linux machines by using a flaw initially
discovered in August 2002 in OpenSSL libraries. While this OpenSSL server
vulnerability exists on a wide variety of platforms, the worm appears to
work only on Linux systems running Apache with the OpenSSL module on Intel
architectures.
In an initial report, Finnish security firm F-Secure, noted that a case had been
discovered in Eastern Europe late on Friday September 13th, 2002. As of
this morning, the company reports that it has received confirmation of cases
in over 100 countries.
Apache
Internet and it is estimated that approximately one million machines have
enabled SSL services.
The worm is considered to be among a new breed of worms, because it not only
propagates the worm to other machines, but contains code to create a
peer-to-peer attack network, where infected machines can remotely be
instructed to launch a wide variety of Distributed Denial of Service
The author apparently designed the worm to launch distributed
denial-of-service attacks, but F-Secure warns, it also results in a
situation where anybody can take over an infected machine and do practically
anything with it.
Despite the speed with which it has begun to propagate, Mikko Hypponen,
F-Secure’s manager of anti-virus research, notes that there are some forces
slowing the worm down.
“Apache users are good in patching their systems,” said Hypponen. “Plus,
the worm generates lots of network traffic, slowing the infection rate.”
Vendor patches can be found in the original CERT report. Further
technical information on the worm is available here. It is recommended
that vulnerable machines be patched immediately.
As of Monday Morning, the Linux.Slapper worm had been in circulation for
less than 60 hours, and had infected 11000 servers. According to F-Secure,
Code Red, which is known as the worst Web worm in history, managed to infect
only several hundred servers within a similar time frame. Code Red, which
targeted servers running Microsoft’s Internet Information Services (IIS) Web
server, went on to infect approximately 350,000 Web servers during its peak
in July 2001 and is still alive today.