Slapper gives Linux community a dose of something contagious

A new worm that attacks Linux web servers has compromised more than 3,500 machines over the weekend, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data.

Security firm Symantec has warned that the worm, called Linux.Slapper, seems to be spreading rapidly - early on Friday the company detected around 2,000 infected computers actively attacking. This number climbed to 3,500 by the end of the day and has risen over the weekend.

Symantec issued an advisory on Saturday which stated: "It is confirmed through various sources that this worm is in the wild and actively attacking other servers."

The worm targets Apache web server installations on a variety of Linux systems, including those from Debian, Mandrake, Red Hat, Slackware and SuSE. By exploiting a security hole in the Apache OpenSSL module that enables a widely used encrypted communications service known as the secure socket layer, the worm can copy itself to new servers.

The advisory includes an analysis of the worm's code, revealing some details of the attack network created from servers compromised by the worm.

"[Slapper] also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a distributed denial-of-service (DDoS) network," stated the advisory.

It's uncertain how much danger the worm poses. While an advisory posted Friday by Symantec rates the new threat a two out of five, with 5 being the most severe threat, the latest advisory rates the potential danger as "high."

Anti-virus firm Kaspersky released an advisory on the worm early Saturday, which stressed that the firm hadn't seen any reports of infected machines from its customers.

While the rogue peer-to-peer network of compromised servers is currently being created, it has already been used to attack the DNS servers of a major ISP, according to a statement posted on the Internet Storm Center, a website that tracks security incidents on the net by correlating data amongst voluntarily submitted firewall logs.

Domain-name service, or DNS, servers acts as the yellow pages of the internet by matching domain names, such as silicon.com, to the numerical addresses used by the net's hardware. By levelling a denial-of-service attack at such servers, an attacker can block customers of the assaulted ISP from connecting to websites.

Further evidence of the DDoS network being used came in an email sent out by RackShack.net to its customers. The web hosting provider apparently warned administrators that several of its servers had been used to conduct attacks against other providers.

Patrick Smith, a systems administrator for the company, said: "This morning we found 20-plus machines that where used to launch a DoS attack. We are currently reviewing the compromised hosts and it appears this worm is the culprit."

Robert Lemos writes for News.com