Virus writers get Slapper happy

The newest variant, dubbed "Mighty," exploits the same Linux Web server flaw that other versions of the Slapper worm have used to slice through the security on vulnerable servers. Russian antivirus company Kaspersky Labs said in a release Friday that more than 1,600 servers had been infected by this latest variant as of Friday morning and are now controlled by the worm via special channels on the Internet relay chat system.

"In this way, 'Mighty' is able to leak out confidential information, corrupt important data, and also use infected machines to conduct distributed (denial of service) attacks and other nasty activities," Kaspersky Labs said in the advisory.

Because the worm deposits its source code on any system that it infects, security researchers expect more modified versions of the virus to appear.

"People are doing a lot of variants," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security. "No one has found any good way to handle these worms."

As long as there are servers whose administrators don't care enough or don't know enough to patch the security holes, such worms will continue to spread, Maiffret said.

Since Code Red infected more than 350,000 servers last summer, computer worms have become the No. 1 perceived danger on the Internet. The self-replicating programs exploit security vulnerabilities to break into computers, then use those systems to infect other servers around the Internet.

While the worst attacks--Code Red and Nimda--have been against Microsoft's Web server, Linux servers have been compromised by worms in several moderate incidents, starting with the Ramen worm and moving on to the latest Slapper worm.

The Slapper worm infected as many as 20,000 servers before system administrator began installing patches and cleaning compromised systems, putting the program on the endangered species list.

A variant by any other name...
"Mighty" may be the fifth variant of Slapper to hit the Internet since the original worm was released last week. However, because of the different naming conventions used by security companies, the worm may be too similar to another version, Slapper.D, to be considered a variant.

Slapper.D, also known as "DevNull," appeared on the Internet on Monday, according to security software firm Symantec. While the original Slapper worm and previous variants all created a homegrown peer-to-peer network to communicate among themselves, DevNull used a well-known hacking tool--called "Kaiten"--to let the compromised servers talk with their creator via a channel on Internet chat, said Elias Levy, security architect for Symantec.

Levy expects more variants, but he believes that the tactic of using the SSL (secure sockets layer) vulnerability to bypass security is past its prime.

"The number of infected systems has been reduced," Levy said. "Different antivirus vendors have been e-mailing the people in charge of those (infected) machines."

In some cases, Levy said, gray hat hackers in the underground have used the peer-to-peer network against itself, sending commands from one compromised server across the homegrown network to shut down other, infected computers.

Other variants of the Slapper code merely changed the port--a software address that computers use to talk to each other over the Internet--that the worm used as the communications channel for the peer-to-peer network. Slapper itself is a Linux variant of another worm, Scalper.c, which didn't get far because it only targets FreeBSD systems, a far smaller pool of computers.

In any event, Scalper is on the way out, said Roger Thompson, director of malicious-code research at security service provider TruSecure.

"We know that most people, but not everybody, are going to patch their systems," Thompson said. A few, old machines that aren't well administered will keep the worm alive for some time, but it shouldn't infect many more computers.

"I think that the Slapper things are just going to become background noise," Thompson said.