That OpenSSL Worm [LWN.net]

This worm has been referred to by at least four different names: Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm.

On Friday September 13th the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow vulnerability reported at the end of July. The next day CERT issued Advisory CA-2002-27 Apache/mod_ssl Worm.

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

By Sunday September 15th, at 17:00 GMT, F-Secure Corporation reported 13,000 infected servers out of "over 1,000,000 active OpenSSL installations in the public web." Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.

SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format). F-Secure is maintaining a "Virus Description" of this worm with lots of interesting information.

The first reports in the press appeared Friday, the day the worm was first seen, in CNET and Network World Fusion. The next day CNET put up another story with additional information. By Monday evening both the Register and TechWeb had published their reports on events to date. On Tuesday Network World Fusion reported that the worm has infected at least 30,000 Linux Apache Web servers.

Also, see this other article from TechWeb on the worm:

According to Dan Ingevaldson, team lead of the X-Force R&D division at ISS, the first version may be a test to see how well the worm works before more deadlier versions surface. "Unlike Code Red and Nimda, where virus writers didn't have immediate access to the source code, the source code for this worm is already widely public," he says. "I'd expect new versions to start to surface."

RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has observed behavior different from what that tool expects.

In the unlikely event that you haven't already, applying the appropriate OpenSSL update might be a very good thing to do before reading any further.

(Log in to post comments)

That OpenSSL Worm

Posted Sep 19, 2002 8:29 UTC (Thu) by beejaybee (guest, #1581) [Link]

"In the unlikely event that you haven't already, applying the appropriate OpenSSL update might be a very good thing to do before reading any further."

Except you've probably already been hit :( Please don't be suckered into the delusion that applying the patch will cure an already-infected system.

This incident brings into sharp relief the necessity of staying on top of the (unfortunately, endless) job of keeping your systems patched.

How widespread, really?

Posted Sep 20, 2002 13:39 UTC (Fri) by nas (subscriber, #17) [Link]

I think the press is slightly exaggerating the spread of this worm. Read the story and it sounds like a Unix version of Code Red. When Code Red was in full force I saw tons of bogus requests in our server's access logs. When I heard about the OpenSSL worm I immediately setup an iptables logging rule on one of our machines to watch for it. I haven't seen a single packet on UDP port 2002.

I'm not saying Unix is not vulnerable to the same types of security problems as Windows. Unix servers need compliant people to maintain them.