Newsgroups: alt.2600.hackerz
Subject: linux worm
Date: Tue, 24 Sep 2002 13:45:46 +0100


Slapper infects victims in 100 countries
Monday, September 16 2002
by Matthew Clark

The Slapper Linux worm is the name of a new bug that is circulating on
the Internet, reportedly attacking servers in over 100 countries around
the globe.

The network worm spreads on Linux servers by exploiting a flaw that has
been exposed since August 2002 in OpenSSL libraries. However, so far the
worm seems to only have the capacity to effectively attack Linux systems
running Apache with the OpenSSL module on Intel architectures,
Finland-based e-security company F-Secure is reporting.

The bug has been on the prowl since late last week and although
instances of it still appear to be relatively low, its impact is thought
to be severe, allegedly forcing two major ISPs in the US to shut down
briefly while the worm was cleared off their systems.

The danger of Slapper, which is thought to be another incarnation of a
worm called Scalper, is that Apache installations cover more than 60
percent of public Web sites on the Internet and it is estimated that
approximately one million machines have enabled SSL services. "A very
big part of these machines have not yet been patched to close this hole,
and are thus prone to infection by the Slapper worm," F-Secure said.

Another nasty facet of the bug's capabilities is its ability to attack
on a peer-to-peer basis, whereby infected machines can remotely be
instructed to launch a wide variety of Distributed Denial of Service
attacks. Such attacks could leave an infected server in a position where
an attacker could take over the infected machine and do practically
anything with it from a remote location.


"It's quite a scary concept in the way they put it (Slapper) together,"
said Conor Flynn, technical director with Irish e-security company Rits.
"All infected servers could come under the control of a single master."

Moreover, some reports peg its spread at 11,000 servers by Monday
morning, just 60 hours after it was discovered. Conversely, Code Red,
often considered the worst virus to hit the Net to date, infected just a
few hundred servers within the first three days of its discovery.

"The potential for damage is actually quite large because the servers
that are being hit actually represent a significant portion of
bandwidth" Flynn said. However, patches for the flaw that Slapper is
exploiting have been available from vendors for some time, and repairing
the hole in servers that the bug uses should create an effective
immunity.

"Having a major server on the Net comes with a certain amount of
responsibly," Flynn continued. "It's one thing if you are broken into
with some kind of rocket science attack, but it's something else when
you leave a machine open to someone using this kind of sledgehammer
approach."