Slapper worm stops slapping

Slapper - the Linux worm that threatened to spread itself by creating a peer-to-peer network of infected machines - appears to be wearing itself out.

The worm started spreading a week ago, and now appears to have reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers.

Known as Linux.Slapper.Worm, Slapper and Apache/mod_ssl, the worm's spread has fallen far short of the biggest attackers in recent times. For example, Code Red infected 400,000 servers last summer. And according to the National Strategy to Secure Cyberspace, the Nimda virus compromised 86,000 systems last fall.

Perhaps most telling, security experts are already talking about Slapper in the past tense.

"I thought it was very interesting, but it didn't do terribly much," said Roger Thompson, director of malicious code research at security services company TruSecure.

The worm exploited a flaw in the open-source security component used with many Linux-based Apache Web servers. Known as the secure sockets layer (SSL), the component is commonly used by e-commerce sites to secure transactions between the customer's computer and the company's server.

Slapper attacks Apache SSL servers running on Red Hat, SuSE, Mandrake, Slackware and Debian Linux.

Still, Slapper did take a big evolutionary step by creating a peer-to-peer network.

"The difference between this and everything else in the past is that nothing else has had an internal peer-to-peer network," said Oliver Freidrichs, senior manager of security company Symantec's incident response team.

Some attack programs, frequently referred to as bots or rats (remote access Trojans), are used by hackers who frequent the internet chat scene, and can communicate with the antagonist via IRC (internet relay chat) channels. However, by using a peer-to-peer network instead, the Slapper program allows the attacker to hide among the other victims of the worm's infection.

Moreover, the network reports back who has been infected, which could be helpful for the attacker to keep track of the size of the network. Commands sent to the network can cause a denial-of-service (DOS) attack by sending a deluge of data at a target, can execute code or can gather information.

However, because the network created by the Slapper worm doesn't use encryption, anyone can tap into it. That's been a boon for security researchers, who have been able to use the reporting features of the program to collect data on its spread.

The Slapper worm may be rudimentary and lacking its own internal security, but it could also be considered a hint of what future cyberweapons may look like.

If refined, the worm could be released with the code to exploit the latest vulnerability - the SSL flaw that Slapper takes advantage of is about seven weeks old - and then three days later, the aggressor would have its own attack network. The peer-to-peer network would hide the attacker's identity, since any computer on the network could issue commands to the others. And using encryption, the attacker could reduce exploitation of the resulting network by others.

"It definitely can be used as a weapon," Freidrichs said. "I would be cautious in using that term, but it definitely is reality."

Robert Lemos writes for News.com