F-Secure Warns About a New Linux Worm

Helsinki, Finland – September 14th. F-Secure Corporation is warning about a new network worm called Slapper. Slapper is a network worm that spreads on Linux machines, using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday 13th, September 2002.

The worm typically affects Linux machines that are running Apache web server with SSL enabled. Apache installations cover more than 60% of public web sites in the internet. It could be estimated that less than 10% of those have enabled SSL services. SSL is most often used for online commerce, banking and privacy applications.

Once a machine gets infected, the worm starts to spread to new systems. In addition, the worm contains code to create a peer-to-peer attack network, where infected machines can remotely be instructed to launch a wide variety of Distributed Denial of Service (DDoS) attacks.

The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.

Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001.

“It is still early to say whether this will become a major problem or not”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. “In any case, we urge all Linux webmasters to make sure their systems are secured against this attack.”

Detailed description of the worm as well as a screenshot are available at: http://www.f-secure.com/v-descs/slapper.shtml