The Linux Slapper worm: an update

The Linux Slapper worm had compromised more than 6,700 servers as of early Monday morning, and it continues to create a peer-to-peer attack network that could shut down even corporate Internet connections.

Unlike past worms, which typically tried only to compromise computers on the Internet, the Slapper worm has a grander scheme in mind: to create a large peer-to-peer network that could be used to hit other servers. A computer that gets infected becomes part of the network and could be commanded, or used to command the other computers on the network, to attack, said Al Huger, senior director of engineering for the incident response team at security company Symantec.

"A number like 6,700 hosts is very significant for a (distributed denial-of-service) network," he said. "With the pipes these (infected servers) are connected to, this network could easily take a large enterprise off the Internet."

The worm is spreading moderately quickly. Symantec reported 2,000 infected servers early Friday afternoon. That jumped to 3,500 by Friday evening, and 6,700 by the early hours of Monday morning in the west coast of US (around lunchtime in the UK).

The worm, known as Linux.Slapper.Worm and Apache/mod_ssl Worm by the security industry, takes advantage of a hole in OpenSSL, a program used by many Web sites based on open-source software to secure Web communications. Specifically, the worm uses a security flaw in the mod_ssl module for the Apache Web server. While Apache accounts for about two-thirds of all Web sites on the Internet, it's unknown how many of those sites use SSL.

Once infected, a computer drawn into the Slapper network can be ordered - by commands passed from machine to machine - to attack a target in one of four different ways: send out a deluge of data, force the target to execute a command, redirect certain requests to another computer, or send back e-mail addresses or information about known infected servers.

"This shows a leap in worm-writing technology," Huger said. "(The network it sets up) can be efficient as well. It's passing router information back and forth, which could be used very intelligently."

The peer-to-peer network has already attacked. On Saturday, incident-tracking Web site Incidents.org said the network had been used to attack another company. A note from a system administrator to the customers of RackShack.net confirmed that more than 20 of their computers had been used in such an attack.

On Monday, Huger confirmed that another security company had been attacked by the network this past weekend.

However, there's a silver lining in this particular network cloud. Security companies and authorities can place a vulnerable computer on the Internet that will eventually be infected, giving the organization a view into what's happening on the network.

Such a tactic gave Huger and his team the ability to collect the IP addresses of much of the network, since every computer eventually advertises itself to its peers. Symantec has forwarded on the information to the FBI's National Infrastructure Protection Center for analysis.

An earlier attempt to contact the owners of the infected systems had little result, Huger said. "We notified the owners of 1,800 computers on the network last week. We received only 4 replies."

Huger warned that his team isn't yet seeing the full extent of the network, however.

The computer that the security team is using to tap into the Slapper network didn't see any sign of this weekend's attack against an unnamed security company. This means that another part of the Slapper network - which isn't included in the 6,700 servers that Huger's team can "see" - did the assault.

Robert Lemos writes for News.com