A malicious software worm that attacks web servers using the open source Linux operating system has compromised more than 3,500 computers and is spreading rapidly, according to an advisory from security software vendor Symantec.
The so-called “Slapper” worm commandeers open source Apache web servers running on Linux to launch a distributed denial of service (DDoS) attack. Security experts said that Slapper could enable hackers to steal confidential data and execute malicious commands remotely.
Symantec said the threat of a global virus from the worm was “high”.
Slapper exploits a buffer overflow vulnerability in the Apache Open Secure Sockets Layer (OpenSSL) module that enables it to copy itself to other Linux users. SSL is a security protocol that encrypts data sent over the Internet.
The fact that Slapper uses source code spreading technology makes it especially dangerous, said Eugene Kaspersky, founder and head of anti-virus research for anti-virus software vendor Kaspersky Labs. He said “the uploaded worm copy of the [Slapper] worm is in the source code”, instead of in a pre-compiled executable package.
This enables Slapper to use a web server’s native C compiler program, which translates C source code into machine language, to propagate. C compilers are found on every commonly used platform, said Kaspersky.
As a result, Slapper could also spread to non-Linux platforms. “It is quite possible that Slapper will initiate a new wave of multi-platform malware [malicious software] development, which will be able to infect not only Linux, but Windows, Unix and other operating systems simultaneously,” said Kaspersky.
This technique was used in the infamous Morris Worm in 1988, which infected more than 6,000 companies globally and caused losses estimated at $96 million (€99m).
Symantec said patches to fix the OpenSSL vulnerability were available. “If administrators are unable to install the patch, it may be possible to disable the SSL engine in the Apache Web server. This can be achieved by modifying the configuration file to remove any configuration items regarding SSL configurations,” it added.