Slapper worm smarting less

Spread of the Linux worm has reached a plateau at about 7,000 servers, and the attack function of the resulting peer-to-peer network remains largely unused.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
A Linux worm that started spreading a week ago has reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers.

Known as Linux.Slapper.Worm, Slapper and Apache/mod_ssl, the worm's spread has fallen far short of the biggest attackers in recent times. For example, Code Red infected 400,000 servers last summer. And according to the "National Strategy to Secure Cyberspace," the Nimda virus compromised 86,000 systems last fall.

Perhaps most telling, security experts are already talking about Slapper in the past tense.

"I thought it was very interesting, but it didn't do terribly much," said Roger Thompson, director of malicious code research at security services company TruSecure.

The worm exploited a flaw in the open-source security component used with many Linux-based Apache Web servers. Known as the secure sockets layer (SSL), the component is commonly used by e-commerce sites to secure transactions between the customer's computer and the company's server.

Slapper attacks Apache SSL servers running on Red Hat, SuSE, Mandrake, Slackware and Debian Linux.

A big step
Still, Slapper did take a big evolutionary step by creating a peer-to-peer network.

"The difference between this and everything else in the past is that nothing else has had an internal peer-to-peer network," said Oliver Freidrichs, senior manager of security company Symantec's incident response team.

Some attack programs, frequently referred to as bots or rats (remote-access Trojans), are used by hackers who frequent the Internet chat scene, and can communicate with the antagonist via IRC (Internet relay chat) channels. However, by using a peer-to-peer network instead, the Slapper program allows the attacker to hide among the other victims of the worm's infection.

Moreover, the network reports back who has been infected, which could be helpful for the attacker to keep track of the size of the network. Commands sent to the network can cause a denial-of-service (DOS) attack by sending a deluge of data at a target, can execute code or can gather information.

However, because the network created by the Slapper worm doesn't use encryption, anyone can tap into it. That's been a boon for security researchers, who have been able to use the reporting features of the program to collect data on its spread.

Have worm, will travel
The Slapper worm may be rudimentary and lacking its own internal security, but it could also be considered a hint of what future cyberweapons may look like.

If refined, the worm could be released with the code to exploit the latest vulnerability--the SSL flaw that Slapper takes advantage of is about seven weeks old--and then three days later, the aggressor would have its own attack network. The peer-to-peer network would hide the attacker's identity, since any computer on the network could issue commands to the others. And using encryption, the attacker could reduce exploitation of the resulting network by others.

"It definitely can be used as a weapon," Freidrichs said. "I would be cautious in using that term, but it definitely is reality."

The network may have already been used to send a flood of data at a victim's Internet connection, a so-called DOS attack. One Internet service provider notified customers in an e-mail that more than 20 of its customers' machines had been infected and used to attack another company. Symantec reported that at least one security company had been the victim of the attack.

While stressing worms that exploit holes in software, as Slapper has done, are the way of the future, TruSecure's Thompson doesn't think it's much of a weapon.

"This is certainly a reasonable way to do a (distributed DOS attack) and the peer-to-peering is an interesting twist, but a straight back-dooring of something important is a better (way) to attack," he said.

Yet, with the capability to level four different types of DOS attacks at other networks and the ability to command computer to run any program, Slapper could be far more versatile than evidence has shown so far.

Despite that, there has been little response to the threat of the worm.

"I don't know that our response would be any different tomorrow than it would be today," Richard Clarke, adviser on cybersecurity to President Bush, said this week when asked what could be learned from Slapper.

Some security experts have other ideas.

On security mailing lists, there have been discussions about using the worm's own network against itself by, for example, using the command network to run a program that would delete the worm's files, said Symantec's Freidrichs.

"Someone could issue a command to kill it off," he said. However, he stressed that such an action would be illegal and, if the program to be executed has a bug, could cause more damage.

"There is a number of fears in that you are definitely committing to executing code on someone else's servers," he said.