[ISN] P2P worm targets Linux Apache Web servers

From: InfoSec News (isnat_private)
Date: Mon Sep 16 2002 - 03:11:44 PDT

  • Next message: InfoSec News: "[ISN] Massive credit card heist suspected"

    By Ellen Messmer
    Network World Fusion 
    A computer worm dubbed Linux.Slapper.Worm has started to spread on the
    Internet by exploiting the Linux Apache Web server vulnerabilities
    that are related to the OpenSSL protocol. The vulnerabilities were
    first detailed July 30 by The OpenSSL Group.
    According to antivirus firm Symantec, the Linux.Slapper.Worm is the
    first worm to make use of peer-to-peer networking technology, which
    has allowed infected servers to maintain contact. This would
    potentially give a hacker control of a constellation of infected
    The worm, which is still being analyzed, can capture e-mail addresses
    and could potentially do greater harm, says Oliver Friedrichs, senior
    manager at the Symantec Security response division. Symantec said that
    on Friday there were at least 2,000 infections from the worm, which
    was first reported in Portugal and Romania.
    The worm can infect Linux servers from companies such as Red Hat,
    Mandrake, Caldera, Slackware and Debian that have not been upgraded to
    the 0.9.6g version of the OpenSSL Group's software for Secure Sockets
    Layer. That upgrade fixes the vulnerabilities detailed on July 30.
    The worm is raising particular concern because "it has its own
    peer-to-peer networking protocol," said Friedrichs. "Potentially,
    someone can inject a command into the peer-to-peer network and send it
    to the compromised hosts."
    Symantec is still examining the Linux.Slapper.Worm to better
    understand how dangerous it is. The worm spreads like the well-known
    Nimda worm, which started a year ago, by scanning. That scanning
    activity might result in some denial-of-service problems.
    But unlike Nimda, which is still active and infects vulnerable
    Microsoft Internet Information Servers, the Linux.Slapper.Worm is said
    to go one step further and set up links among the Linux machines it
    infects. Symantec said it intends to issue periodic updates on what it
    discovers about Linux.Slapper.Worm.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 06:01:59 PDT