Fast-Spreading Worm Takes Over Infected Servers

By Wayne Kawamoto (Send Email)
Posted Sep 16, 2002


The Apache/mod_ssl worm, first seen on Friday Sept. 13, has infected thousands of web servers around the world and continues to spread. According to reports, what sets this worm apart from others is its peer-to-peer networking capability, which the worm author may use to take over any or all of the infected servers. The worm was apparently designed to launch distributed denial-of-service attacks, but it also results in a situation where anyone can take over an infected machine and do practically anything with it. The Apache/mod_ssl worm, first seen on Friday, Sept. 13, has infected thousands of Web servers around the world and continues to spread. According to reports, what sets this worm apart from others is its peer-to-peer networking capability, which the worm author may use to take over any or all of the infected servers.

Affected systems include those running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. The CERT/CC has received reports of the self-propagating malicious code that exploits a vulnerability (VU#102795) in OpenSSL. The malicious code is now referred to as Apache/mod_ssl worm, linux.slapper.worm and bugtraq.c worm.

While the OpenSSL server vulnerability exists on a wide variety of platforms, the Apache/mod_ssl worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures. Reports received by the CERT/CC indicate that the Apache/mod_ssl worm has already infected thousands of systems. According to DeepSight Threat Management System data, some 3500 IP addresses have been recorded as being the source of scanning and associated activity.

Symantec lists the following components that may be affected:

  • Red-Hat: Apache 1.3.6, 1 3 9, 1.3.12, 1.3.19, 1.3 20, 1.3 22, 1.3 23, 1.3.26 .
  • SuSe: Apache 1.3.12, 1.3 17, 1.3 19, 1.3.20, 1.3 23 .
  • Mandrake: Apache 1.3 14, 1.3.19, 1.3.20, 1.3 23 .
  • Slackware: Apache 1.3 26 .
  • Debian: Apache 1.3.26

When an Apache system is detected, the worm attempts to send exploit code to the SSL service via 443/tcp. If successful, a copy of the malicious source code is then placed on the victim server, where the attacking system tries to compile and run it. Once infected, the victim server begins scanning for additional hosts to continue the worm's propagation.

Additionally, the Apache/mod_ssl worm can act as an attack platform for distributed denial-of-service (DDoS) attacks against other sites by building a network of infected hosts. During the infection process, the attacking host instructs the newly-infected victim to initiate traffic on 2002/udp back to the attacker. Once this communications channel has been established, the infected system becomes part of the Apache/mod_ssl worm's DDoS network. Infected hosts can then share information on other infected systems as well as attack instructions. Thus, the 2002/udp traffic can be used by a remote attacker as a communications channel between infected systems to coordinate attacks on other sites.

Reports to the CERT/CC indicate that the high volume of 2002/udp traffic generated between hosts infected with the Apache/mod_ssl worm may itself lead to performance issues on networks with infected hosts. Furthermore, since repairing an infected host does not remove its IP address from the Apache/mod_ssl worm's Peer-to-Peer network, sites that have had hosts infected with the Apache/mod_ssl worm and subsequently patched them may continue to see significant levels of 2002/udp traffic directed at those formerly infected systems.

According to an announcement from F-Secure, during the weekend following Friday the 13th, the company's engineers reverse-engineered the peer-to-peer protocol that the worm uses. F-Secure says it has infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

F-Secure says it is sending a warning to the administrators of infected systems based on their IP addresses. A free version of F-Secure Anti-Virus for Linux will also be made available to the administrators of infected systems.

More information, including work-arounds and patches, can be found on the following sites:

http://www.cert.org/advisories/CA-2002-27.html

http://securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html

http://www.f-secure.com/slapper/

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.