dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
637

elboricua
El Subestimado
Premium Member
join:2001-08-12
Bronx, NY

elboricua

Premium Member

Linux worm creating P2P attack network

I posted this in the All Things Unix forum news. I think that is EXTREMELY relevant to post here as well.

From Cnet Net News

update A new worm that attacks Linux Web servers has compromised more than 3,500 machines, creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data, security experts said Saturday.

The worm seems to spreading fairly rapidly, according to security company Symantec, which early Friday detected about 2,000 infected computers that were actively attacking--a number that climbed to 3,500 late Friday. The company's security personnel could not be contacted for comment Saturday.

guycad$
In Search Of Free Speech
Premium Member
join:2002-05-02
Pompton Lakes, NJ

guycad$

Premium Member

This is a real bummer.

Couldn't reach 'openssl.org' to check for latest updates. Though I believe I'm already up-to-date. (Thanx Gentoo!)
zenomorph
join:2001-11-26
Nashua, NH

zenomorph

Member

I posted more links on my website about this.

www.cgisecurity.com

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to elboricua

Premium Member

to elboricua
I have also been tracking it since it first started..this could be big trouble..I hope this helps some members.

VSantivirus no. 799 - Year 6 - Domingo 15 of September of 2002

Linux.Slapper.Worm, a worm P2P for servants Apache
»www.vsantivirus.com/slapper.htm

Name: Linux.Slapper.Worm
Type: Worm of Internet (Linux)
Alias: Slapper, Apache/mod_ssl Worm, Linux/Slapper-A, Linux.Slapper-Worm, Slapper.source
Date: 13/set/02
Platforms: Linux

A new denominated worm Linux.Slapper.Worm has begun to propagate in last the 48 hours by Internet, exploding individual vulnerabilities in the OpenSSL protocols used by servants like Linux Apache.

The operated faults, were published at the end of the last month of July, by "The OpenSSL Group", but as usually it happens, many users exist who have not updated their versions.

One of the characteristics of this worm, is that it is first that makes use of the technology of Peer-To-Peer networks (P2P) at level of servant in Linux, which allows that the infected servants follow connected between if by means of own protocols.

This qualifies a multitude of possibilities to the attacker who takes advantage of his action. The worm, is able to capture directions of electronic mail, and possibly future versions or updates could be more destructive.

Friday, first day that was reported, was arrived at more than 2000 infections detected in Portugal and Rumania, countries where the first infections happened.

The worm can infect Linux servants with software of Network Hat, Mandrake, Boiler, Slackware or Debian, whose protocols SSL (Secure Sockets Layer) of OpenSSL Group's have not been updated to the version 0.9.6g. This version solves the fault reported in July in OpenSSL, which prevents the operation of the worm.

Ssl (Secure Sockets Layer), is a protocol of standard security that provides privacy for data and messages, and that allows to authenticate the sent data. Basically it is used to transmit information personal or related to credit cards of the users through Internet.

Generally the directions of pages Web that use connections SSL, begin with ' https: ' instead of the standard ' HTTP: '.

What it more worries to the experts, is that the worm uses its own protocol to connect itself to Peer-To-Peer networks (the networks "even to pair" allow to connections computer computer, and the example closest for the domestic users, is the networks like KaZaa or Morpheus, which apply this type of communication).

The fact to use an own protocol, allows to implement any class of commandos, even destructive, and to send them to all host infected without no type of alert that can intercept it.

Linux.Slapper.Worm peculiarly does its appearance when being fulfilled a year of the discovery of another worm also of massive propagation, the Nimda. Nimda got to cause problems of negation on watch by the great activity of I scan looking for new computers, which jeopardized the yield of the networks involved due to the great consumption of bandwidth.

Slapper goes a step further on, establishing communications between the Linux machines that infect, instead of looking for them like made Nimda in machines Windows.

The worm operates an underflow of búfer of software OpenSSL, to execute a shell in the infected system.

The first reported version contains the code necessary to mount distributed attacks of negation on watch (several servants attacking in joint form a single victim).

The worm tries to connect itself through port 80 (normal request HTML) with invalid instructions GET, to detect the system (servant Apache in Linux).

Soon, a connection through port TCP 443 will try, sending codes that allow him to monitorear the presence of a service SSL in the infected machine.

The code used by the worm in the Shell created in Linux, single works in processors of Intel. Also it requires that the shell is in the location/bin/sh to be able to execute itself.

The worm creates a copy uuencodeada of if same in /tmp/.uubugtraq , and using its own routine of desencriptación (commando UU encoding), descodifica in the file /tmp/.buqtraq.c

The only way to show to the file "bugtraq.c" with the commando "ls" is if it is used with parameter "- a" (ls - a).

Soon, the worm uses compiler "GCC" to create a feasible copy of if same in /tmp/.bugtraq .

This binary one is executed with a direction IP like parameter. This direction corresponds to the machine of the attacker and it is used to create a network of systems infected by the worm in order to execute refusal attacks on watch.

Each system jeopardizes, is to listening by port UDP 2002, waiting for other instructions.

The worm uses an own table to generate class directions IP Of, which allows him to accede to new machines that are running servants Apache.

The single worm works in computers with Intel processor, executing the following distributions of Linux, and with the servant Apache and OpenSSL previous to the qualified version 0.9.6g:
Network Hat
SuSE
Mandrake
Slackware
Debian

Slapper is very similar to the Scalper worm (to see "Scalper, the worm that attacks the vulnerability of Apache", »www.vsantivirus.com/scalper.htm ), and its theory of propagation similar to the one of the famous CodeRed ( »www.vsantivirus.com/codered.htm ) that infected servants IIS of Microsoft (2001 July).

Recommendations

The worm depends on the presence of compiler "GCC" in the infected computer to work correctly. In addition this software must have permission of execution from the user of Apache. Therefore, a protection measurement would be to clear "GCC" of the system or to limit its access.

Manual repair

In order to manually erase the virus, first that nothing, asegúrese to update its antivirus for Linux with the last definitions, soon comes to review its system.

The worm can be erased, killing with the commando "kill" of UNIX, the process "bugtraq" .

In addition, the following archives must be eliminated:

/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq

Instructions have not been detected that allow the worm to be reinitiated in case single.

It is suggested to isolate the system infected of any connection to networks and Internet until completing the procedure of elimination of the worm.

Soon, it follows the instructions of the following article to solve the vulnerability in OpenSSL that allows the execution of the worm:

OpenSSL SSLv2 Malformed Client Key Remote Overflow Buffer
»online.securityfocus.com ··· solution

More information:

CERT® Advisory Multiple Ca-2002-23 Vulnerabilities In OpenSSL
»www.cert.org/advisories/ ··· -23.html

The OpenSSL security advisory
»www.openssl.org/news/sec ··· 0730.txt

Debian security advisory
»www.debian.org/security/ ··· /dsa-136

Mandrake security advisory
»www.mandrakelinux.com/en ··· -046.php

RedHat security advisory
»rhn.redhat.com/errata/RH ··· 155.html

SuSE security advisory
»www.suse.com/de/security ··· ssl.html
Name Game

Name Game to elboricua

Premium Member

to elboricua
Here is some very good information at Wilders including the F-Secure's Global Slapper Information Center for this new threat.

»www.wilderssecurity.com/ ··· did=3655

:-(

[text was edited by author 2002-09-16 12:35:11]
Tuulilapsi
Kenosis
join:2002-07-29
Finland

Tuulilapsi to elboricua

Member

to elboricua
Interestingly, I've not heard of anyone I know being infected with this one yet. I hope it stays that way, and I'll definitely forward a link to this thread to my friends. Using Linux can sometimes create a false sense of security of which my friends with no anti-virus or anti-anything other than their firewall are living proof of.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by Tuulilapsi:
Interestingly, I've not heard of anyone I know being infected with this one yet. I hope it stays that way, and I'll definitely forward a link to this thread to my friends. Using Linux can sometimes create a false sense of security of which my friends with no anti-virus or anti-anything other than their firewall are living proof of.

If you work hard enough in a life of destruction you can find many targets.

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to elboricua

MVM

to elboricua
I tried to give everyone an early heads up on this on »OpenSSL Worm on the hunt

What makes this really bad is unlike Code Red or Nimda someone is controlling these machines and could issue orders to do whatever. In short it could be very bad depending on what they choose to do. Plus this could be a very long standing army of systems based on how fast people clean up and patch systems. I can also see a battle coming up between hackers as they fight to control these armies.

Blake