September 13, 2002 11:40 PM PDT
Linux server worm exploits known flaw
Designated "Linux.Slapper.Worm" by security firm Symantec, the self-replicating program may have originated in Europe and threatens Linux servers that offer an encryption feature known as Secure Sockets Layer, the standard method for encrypting sensitive Web traffic, through a common extension to the open-source Apache Web server.
"At this time over 3,500 computers have been observed performing this activity," said Symantec in its advisory. "This includes computers located in Portugal and Romania, where initial reports of the worm originated."
The worm, which is also known as Apache/mod_ssl after the Web server module it exploits, seems to have been created to create a distributed network with which a denial-of-service attack could be launched. A denial-of-service attack attempts to shutdown a network by overloading it with data from a number of servers, as Slapper apparently is attempting, or by causing systems to crash by exploiting a flaw in the software.
The worm's code will also run only on Intel-based systems, where it compiles its own code, Symantec advised. The worm attacks by first confirming that the computer is running that Apache Web server and then infects the computer by connecting to the SSL server.
News of the worm was first posted to Bugtraq, a security mailing list run by SecurityFocus, a subsidiary of Symantec.
Earlier this month, Internet research firm Netcraft warned that administrators were not patching SSL servers quickly enough.
"Counter-intuitively, Web site managers seem quicker to fix conventional HTTP servers than SSL servers, perhaps because they receive more traffic, or because the HTTP service is the conduit favored by worm writers," the firm's latest Web survey said.
The firm estimated that only a quarter of all SSL servers had been patched as of the end of August. It didn't disclose how many such servers were on the Internet.
System administrators with SSL servers based on Apache and OpenSSL should upgrade to the latest version of the encrypted communications software, Symantec's advisory recommended.