Slapper worm targets Linux/Apache servers

A new worm with distributed denial of service (DDoS) capabilities is targeting open source Apache Web servers and has already...

A new worm with distributed denial of service (DDoS) capabilities is targeting open source Apache Web servers and has already caused two US ISPs to close down.

Apache is the most used Web server software in the world, with an installed base of 22 million machines running 67% of active sites, according to Netcraft, which publishes a monthly survey of global Web server security.

The Slapper worm is a modified version of the earlier Scalper worm and can give hackers backdoor access to remote systems according to security experts Internet Security Systems (ISS).

The worm exploits a previously disclosed flaw in the Secure Sockets Layer 2.0 (SSLv2) handshake process and specifically targets servers running Apache with mod_ssl.

Mod_ssl is the Apache Web server interface to OpenSSL, an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The worm targets OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1.

The Slapper worm exploits a buffer overflow in the SSLv2 handshake process using a malformed client master key. Once an Apache/mod_ssl server with affected OpenSSL versions is infected, the backdoor can be accessed without any authentication. This may lead to third parties using infected hosts to launch future DDoS attacks.

According to ISS, the DDoS capabilities associated with this worm are very powerful and have already been used to attack and disable high-profile targets.

The worm affects most major Linux distributions, including Red Hat, Debian, Mandrake, SuSE and Slackware. Other Unix platforms, as well as Apache with OpenSSL for Windows may also be vulnerable to the OpenSSL vulnerability.

Binary and source code versions of the worm are available and are being actively circulated, which may lead to the development of more powerful variants, ISS said

To prevent attacks by this worm, network administrators should upgrade to the latest 0.9.6g version of OpenSSL, which was created after the SSL vulnerability was first detected in July, ISS added.

Last month Netcraft warned that complacency among Web administrators meant that 75% of Web servers running Apache-SSL, the secure version of the popular open source software, had not been upgraded to fix a serious flaw uncovered in June.

Read more on Hackers and cybercrime prevention