Worm Gives a Slap in the Face

Something other than good times was spreading this weekend, as the Slapper worm, which was first seen in the wild last Friday, has now propagated to over 100 countries worldwide.

Slapper is a network worm that spreads on Linux machines by using a flaw initially discovered in August 2002 in OpenSSL libraries. While this OpenSSL server vulnerability exists on a wide variety of platforms, the worm appears to work only on Linux systems running Apache with the OpenSSL module on Intel architectures.

In an initial report, Finnish security firm F-Secure, noted that a case had been discovered in Eastern Europe late on Friday September 13th, 2002. As of this morning, the company reports that it has received confirmation of cases in over 100 countries.

Apache installations cover more than 60 percent of public Web sites on the Internet and it is estimated that approximately one million machines have enabled SSL services.

The worm is considered to be among a new breed of worms, because it not only propagates the worm to other machines, but contains code to create a peer-to-peer attack network, where infected machines can remotely be instructed to launch a wide variety of Distributed Denial of Service (define) attacks.

The author apparently designed the worm to launch distributed denial-of-service attacks, but F-Secure warns, it also results in a situation where anybody can take over an infected machine and do practically anything with it.

Despite the speed with which it has begun to propagate, Mikko Hypponen, F-Secure’s manager of anti-virus research, notes that there are some forces slowing the worm down.

“Apache users are good in patching their systems,” said Hypponen. “Plus, the worm generates lots of network traffic, slowing the infection rate.”

Vendor patches can be found in the original CERT report. Further technical information on the worm is available here. It is recommended that vulnerable machines be patched immediately.

As of Monday Morning, the Linux.Slapper worm had been in circulation for less than 60 hours, and had infected 11000 servers. According to F-Secure, Code Red, which is known as the worst Web worm in history, managed to infect only several hundred servers within a similar time frame. Code Red, which targeted servers running Microsoft’s Internet Information Services (IIS) Web server, went on to infect approximately 350,000 Web servers during its peak in July 2001 and is still alive today.