Worm creates P2P attack network

[DevilDog#1]

Attacks Linux servers, creates network used to hit others

By Robert Lemos
A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said Saturday.

THE WORM SEEMS to spreading fairly rapidly, according to security firm Symantec, which early Friday detected about 2,000 infected computers actively attacking, a number that climbed to 3,500 late Friday. The company’s security personnel could not be contacted for comment Saturday.
“It is confirmed through various sources that this worm is in the wild and actively attacking other servers,” the firm warned its newest advisory Saturday.
The worm targets Apache Web server installations on a variety of Linux systems, including those from Red Hat, SuSE, Debian, Mandrake and Slackware. By exploiting a security hole in the Apache OpenSSL module that enables a widely used encrypted communications service known as the secure socket layer, the worm can copy itself to new servers.
The advisory includes an analysis of the so-called Linux.Slapper.Worm’s code, revealing some details of the attack network created from servers compromised by the worm.
”(Slapper) also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a distributed denial-of-service (DDoS) network,” stated the advisory.
It’s uncertain how much danger the worm poses. While an advisory posted Friday by Symantec rates the new threat a 2 out of 5, with 5 being the most severe threat, the latest advisory rates the potential danger as “high.” Anti-virus firm Kaspersky released an advisory on the worm early Saturday, which stressed that the firm hadn’t seen any reports of infected machines from its customers.
While the rogue peer-to-peer network of compromised servers is currently being created, it has already been used to attack the DNS servers of a major Internet service provider, according to a statement posted on the Internet Storm Center, a Web site that tracks security incidents on the Net by correlating data amongst voluntarily submitted firewall logs. Domain-name service, or DNS, servers acts as the yellow pages of the Internet by matching domain names, such as news.com, to the numerical addresses used by the Net’s hardware. By leveling a denial-of-service attack at such servers, an attacker can block customers of the assaulted ISP from connecting to Web sites.
Further evidence of the DDoS network being used came in an e-mail sent out by RackShack.net to its customers. The Web hosting provider apparently warned administrators that several of its servers had been used to conduct attacks against other providers.
“This morning we found 20-plus machines that where used to launch a DoS attack,” Patrick Smith, a systems administrator for the company, stated in the e-mail seen by News.com. “We are currently reviewing the compromised hosts and it appears this worm is the culprit.”

Copyright © 1995-2002 CNET Networks, Inc. All rights reserved

[DevilDog#1]

Better update your virus definitions people