A new worm is making some inroads as it exploits a security hole in Apache Web servers running on Linux boxes.
The Linux.Slapper worm first appeared Friday but has made some progress over the weekend. The worm exploits a buffer-overflow vulnerability in OpenSSL to gain control of Apache Web servers running on Linux. OpenSSL is an open-source application that provides the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols to clients and servers, in many cases to support secured HTTP connections.
The OpenSSL vulnerability was announced in early August. The writer of Linux.Slapper was able to develop the worm ahead of the patching curve for a lot of users, said Dan Ingevaldson, team lead for Internet Security Systems' X-Force R&D.
"A lot of users won't patch a system until they see a credible threat," he said.
A unique feature of Linux.Slapper is that it sends a source code copy of itself to targeted machines, which is then compiled using the gcc compiler. By doing so, the worm looks a little different each time, as compiler and memory settings differ from machine to machine, said Mikko Hypponen, F-Secure's manager of anti-virus research in Helsinki, Finland.
The availability of the worm's source code is not a good thing. Virtually anyone can use the source code to fix bugs in the worm and make it a more formidable threat, Ingevaldson said.
According to Abingdon, England-based antivirus software vendor Sophos, the worm spreads via TCP port 443 (SSL). Before connecting to that port, however, Slapper contacts the target Web server using port 80 (HTTP) to verify that it is vulnerable. The worm then customizes its attack based on the Linux distribution and version of Apache being used:
- Red Hat running Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23 and 1.3.26.
- SuSE running Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23.
- Mandrake running Apache 1.3.14, 1.3.19, 1.3.20, 1.3.23.
- Slackware running Apache 1.3.26.
- Debian running Apache 1.3.26.
- Gentoo running any version of Apache.
- If such combinations aren't found, then the worm acts as if dealing with a system running Apache 1.3.23 on Red Hat Linux.
After infecting a system, the worm then tries to add the infected machine to a Kazaa-like peer-to-peer network controlled by the virus writer. Only Linux machines running Apache with OpenSSL 0.9.6d or earlier are affected, according to a CERT advisory.
The virus writer wouldn't have root access to the servers unless the Web server runs on root, Hypponen said. Even so, the writer could use infected Web servers as a cyber-army for denial of service attacks.
Moreover, a third party could wrestle control away from the virus writer and use the network for attacks, Hypponen said. F-Secure has infiltrated the peer-to-peer network by reverse engineering the protocol used by the worm. On Sunday afternoon, there were more than 5,000 infected machines. The number had risen to 11,249 by Monday morning.
Hypponen cautions that not all infected machines will be able to join the peer-to-peer network. A firewall configured to only allow port 80 traffic would prevent an infected machine from joining the network, he said.
Also, the worm is actually choking its own progress, Hypponen said. Connecting to the peer-to-peer network eats up bandwidth, which slows its propagation efforts.
The best way to prevent infection is by patching the OpenSSL vulnerability. There are also some workarounds, such as modifying the file system so a server may become infected but will not spread the worm, Ingevaldson said.