Slapper worm gains strength in numbers

Unlike past worms, which typically tried only to compromise computers on the Internet, the Slapper worm has a grander scheme in mind: to create a large peer-to-peer network that could be used to hit other servers. A computer that gets infected becomes part of the network and could be commanded, or used to command the other computers on the network, to attack, said Al Huger, senior director of engineering for the incident response team at security company Symantec.

"A number like 6,700 hosts is very significant for a (distributed denial-of-service) network," he said. "With the pipes these (infected servers) are connected to, this network could easily take a large enterprise off the Internet."

The worm, known as Linux.Slapper.Worm and Apache/mod_ssl Worm by the security industry, takes advantage of a hole in OpenSSL, a program used by many Web sites based on open-source software to secure Web communications. Specifically, the worm uses a security flaw in the mod_ssl module for the Apache Web server. While Apache accounts for about two-thirds of all Web sites on the Internet, it's unknown how many of those sites use SSL.

As previously reported, the worm is spreading moderately quickly. Symantec reported 2,000 infected servers early Friday afternoon. That jumped to 3,500 by Friday evening, and 6,700 as of 2 a.m PT Monday.

Once infected, a computer drawn into the Slapper network can be ordered--by commands passed from machine to machine--to attack a target in one of four different ways: send out a deluge of data, force the target to execute a command, redirect certain requests to another computer, or send back e-mail addresses or information about known infected servers.

"This shows a leap in worm-writing technology," Huger said. "(The network it sets up) can be efficient as well. It's passing router information back and forth, which could be used very intelligently."

The peer-to-peer network has already attacked. On Saturday, incident-tracking Web site Incidents.org said the network had been used to attack another company. A note from a system administrator to the customers of RackShack.net confirmed that more than 20 of their computers had been used in such an attack.

On Monday, Huger confirmed that another security company had been attacked by the network this past weekend.

However, there's a silver lining in this particular network cloud. Security companies and authorities can place a vulnerable computer on the Internet that will eventually be infected, giving the organisation a view into what's happening on the network.

Such a tactic gave Huger and his team the ability to collect the IP addresses of much of the network, since every computer eventually advertises itself to its peers. Symantec has forwarded on the information to the FBI's National Infrastructure Protection Center for analysis.

An earlier attempt to contact the owners of the infected systems had little result, Huger said. "We notified the owners of 1,800 computers on the network last week. We received only 4 replies."

Huger warned that his team isn't yet seeing the full extent of the network, however.

The computer that the security team is using to tap into the Slapper network didn't see any sign of this weekend's attack against an unnamed security company. This means that another part of the Slapper network--which isn't included in the 6,700 servers that Huger's team can "see"--did the assault.

• Related stories

• Alerts

Add your opinion

Ha Ha............ So much for ...Billy Goats -- 18/09/02

Ha Ha............
So much for Open Source being more secure than MS.
Lets face it no one is safe !!!!

• Reply to comment
• Reply to story
• Report offensive content

I think that Billy Goat says i ...Anonymous -- 18/09/02

I think that Billy Goat says it all, but to all you people who say that Linux is security, slapper has not just slapped that rumour, it has beaten the shite out of it.

As Linux grows so will these incidents, and as open source is so exposed, so can potentially the damage of the breaches.

Not an MS fan, just think that the whole story should be told. Open Source is no more secure that Closed.

• Reply to comment
• Reply to story
• Report offensive content

1)This is an Apache vulnerabil ...Anonymous -- 18/09/02

1)This is an Apache vulnerability not a linux one.
2)This is the first one, and you idiots are comparing one incident to thousands?
3)When the OSS user base becomes larger, more developers see the code, and it thus becomes more secure. Currently Microsoft employs more man-hours on IIS than the people whom volunteer on Apache. You think that when this situation is reversed that more holes will magically appear???
4)In case you didn't notice, we have never needed virus scanners, and seeing as this vulnerability can be fixed by simply upgrading to a later version, we still don't need virus scanners. There is no way that anything to do with windows comes close to this kind of "security"
5) Go right ahead guys, it won't bother us while you pay through the nose for inferior software. Happy crashing!!

• Reply to comment
• Reply to story
• Report offensive content

Yes Billy Goat, No-one is safe ...Anthony Tuck -- 18/09/02

Yes Billy Goat, No-one is safe. While humans do the programming there will always be loop holes for some maliscious person to crawl through. Having said that, I have an interesting observation for you. I have a small network at home consisting of an E-Smith (Linux) Server and all members of my family have their own PC (some Windows and some Linux) connected to the Internet and each other. I keep a very close eye on the log files on the server. There are hundreds of entries in the logs of attempted break-ins. The hackers (or should I say crackers) all think my server is a Windows NT m/c. There has not been a successful attempt yet to get in. I am sure if the server was a Windows NT m/c, based on the type of attacks, they would have been in a long time ago. The other observation is if you look at any database about viri', you will find they contain as much as 10000 entries. Almost all, but a very few, are aimed at Microsoft Outlook/Outlook Express. I guess if you wanted to flirt with danger you would have Microsoft Outlook running on a Windows NT server.

This is the reason two thirds of the internet servers run Linux. Not to mention stability and a little thing called cost!

I defend the right of any person to run whatever operating system they desire. I choose Linux. I have used all other operating systems dating back to PC-DOS in the 80"

• Reply to comment
• Reply to story
• Report offensive content

Just because a flaw is found i ...Scott Middleton -- 21/09/02

Just because a flaw is found in a Apache doesn't mean it's any less secure than IIS. All programmers aren't perfect and can't create perfect programs security flaws are inevitable. When you compare the number of flaws found in IIS to those found in Apache you'll find that Apache still has far less than IIS and this speaks for itself.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials