Linux worm creating P2P attack network
Published: 16 Sep 2002 08:09 BST
A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said on Saturday.
The worm seems to spreading fairly rapidly, according to security firm Symantec, which early Friday detected about 2,000 infected computers actively attacking, a number that climbed to 3,500 late Friday. The company's security personnel could not be contacted for comment on Saturday.
"It is confirmed through various sources that this worm is in the wild and actively attacking other servers," the firm warned its newest advisory Saturday.
The worm targets Apache Web server installations on a variety of Linux systems, including those from Red Hat, SuSE, Debian, Mandrake and Slackware. By exploiting a security hole in the Apache OpenSSL module that enables a widely used encrypted communications service known as the secure socket layer, the worm can copy itself to new servers.
The advisory includes an analysis of the so-called Linux.Slapper.Worm's code, revealing some details of the attack network created from servers compromised by the worm.
"(Slapper) also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a distributed denial-of-service (DDoS) network," stated the advisory.
It's uncertain how much danger the worm poses. While an advisory posted Friday by Symantec rates the new threat a two out of five, with five being the most severe threat, the latest advisory rates the potential danger as "high." Anti-virus firm Kaspersky released an advisory on the worm early Saturday, which stressed that the firm hadn't seen any reports of infected machines from its customers.
While the rogue peer-to-peer network of compromised servers is currently being created, it has already been used to attack the DNS servers of a major Internet service provider, according to a statement posted on the Internet Storm Center, a Web site that tracks security incidents on the Net by correlating data amongst voluntarily submitted firewall logs. Domain-name service, or DNS, servers acts as the yellow pages of the Internet by matching domain names, such as news.com, to the numerical addresses used by the Net's hardware. By leveling a denial-of-service attack at such servers, an attacker can block customers of the assaulted ISP from connecting to Web sites.
Further evidence of the DDoS network being used came in an e-mail sent out by RackShack.net to its customers. The Web hosting provider apparently warned administrators that several of its servers had been used to conduct attacks against other providers.
"This morning we found 20-plus machines that where used to launch a DoS attack," Patrick Smith, a systems administrator for the company, stated in the e-mail seen by News.com. "We are currently reviewing the compromised hosts and it appears this worm is the culprit."
Have your say instantly, and see what others have said. Go to the Linux forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
73 out of 119 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
