Linux worm creating P2P attack network

A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said Saturday.

The worm seems to spreading fairly rapidly, according to security company Symantec, which early Friday detected about 2,000 infected computers that were actively attacking--a number that climbed to 3,500 late Friday. The company's security personnel could not be contacted for comment Saturday.

"It is confirmed through various sources that this worm is in the wild and actively attacking other servers," the company warned its newest advisory Saturday.

The worm targets Apache Web server installations on a variety of Linux systems, including those from Red Hat, SuSE, Debian, Mandrake and Slackware. By exploiting a security hole in the Apache OpenSSL module that enables a widely used encrypted communications service known as the secure socket layer, the worm can copy itself to new servers.

The advisory includes an analysis of the so-called Linux.Slapper.Worm's code, revealing some details of the attack network created from servers compromised by the worm.

"(Slapper) also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a distributed denial-of-service (DDoS) network," stated the advisory.

It's uncertain how much danger the worm poses. While an advisory posted Friday by Symantec rates the new threat a 2 out of 5, with 5 being the most severe threat, the latest advisory rates the potential danger as "high." Antivirus company Kaspersky released an advisory on the worm early Saturday, which stressed that the the company hadn't seen any reports of infected machines from its customers.

Though the rogue peer-to-peer network of compromised servers is still being created, it has already been used to attack the DNS servers of a major Internet service provider, according to a statement posted on the Internet Storm Center, a Web site that tracks security incidents on the Net by correlating data among voluntarily submitted firewall logs.

Domain-name service, or DNS, servers acts as the yellow pages of the Internet by matching domain names, such as news.com, to the numerical addresses used by the Net's hardware. By leveling a denial-of-service attack at such servers, an attacker can block customers of the assaulted ISP from connecting to Web sites.

Further evidence of the DDoS network being used came in an e-mail sent out by RackShack.net to its customers. The Web hosting provider apparently warned administrators that several of its servers had been used to conduct attacks against other providers.

"This morning we found 20-plus machines that were used to launch a DoS attack," Patrick Smith, a systems administrator for the company, stated in the e-mail seen by News.com. "We are currently reviewing the compromised hosts and it appears this worm is the culprit."