Linux.Slapper Worm Continues To Spread

As of Monday morning, security vendor Symantec said there were 6,700 servers compromised by the worm, which surfaced Friday, known as Linux.Slapper.Worm or Apache/mod_ssl.

"It's spreading," said Al Huger, senior director of engineering for Symantec's response team. "Not at the rates you would have seen during Nimda or Code Red, but it is definitely spreading. It's consistent but not incredibly fast."

The worm attacks Linux systems, including versions of SuSe, Mandrake, RedHat, Slackware and Debian, running Apache Web server with older versions of OpenSSL (Secure Socket Layer) installed. Slapper exploits a buffer overflow vulnerability in OpenSSL, up to and including versions 0.9.6d and 0.9.7 beta1, according to Atlanta-based Internet Security Systems.

When it infects a server, the worm installs a backdoor, sets up a peer-to-peer network for infected systems to communicate and has five tools to launch distributed denial-of-service attacks, Huger said.

Unlike last year's Code Red worm, Slapper can be centrally controlled, he said. But Huger added that he doesn't expect the worm to spread as extensively as Code Red because Code Red exploited the more widespread Microsoft Internet Information Server.

Administrators need to upgrade their OpenSSL installations to the latest version, 0.9.6g, said Symantec, based here.