NZ escapes worst of Slapper

The Slapper computer worm continues its spread across the internet but has yet to make an impact on New Zealand according to local open source systems integrators.

The Slapper computer worm - subject of a recent CERT Coordination Center security advisory - continues its spread across the internet but has yet to make an impact on New Zealand according to local open source systems integrators.

Slapper exploits vulnerabilities in Linux Apache web servers that have not been patched for flaws in the OpenSSL protocol.

Of three systems integrators spoken to by Computerworld, only one had heard of a server being affected. Auckland-based Asterisk managing director Chris Hegan says his company did an instant survey of all Apache servers it had built or which it supported.

“There are different kinds of SSL [secure sockets layer] and we only had one server, which was potentially vulnerable. We heard of one case (not ours) which was running on an old SUSE box but it was so badly installed the worm couldn’t do its work.”

Once Slapper worms its way into a vulnerable Linux Apache web server, it forces the server to join a peer-to-peer network. Hackers can use the Slapper peer-to-peer network to deliver files.

The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process is already believed to have infected over 13,000 Apache web servers, according to Helsinki-based F-Secure, a computer and network security company.

Dave Lane of Egressive in Christchurch says he is not aware of any local Linux machines affected by the Slapper worm.

“The worm can only get access to a machine with a specific configuration. It must be an Intel platform running the Apache web server 1.3.x and it must provide secure web serving with a vulnerable version of the OpenSSL implementation of the Secure Sockets Layer via the mod_ssl module. In addition the Apache/mod_ssl must run on port 443 and it must also provide a server broadcast telling anyone who polls that port what version of Apache/mod_ssl it is running.”

Lane says this is usually turned off by default on systems built from Linux distributions.

Adam Boileau of Asterisk says mod_ssl allows encryption to be more tightly integrated with Apache.

“Most of our customers don’t want that level of SSL encryption and we mainly use Debian which doesn’t have it automatically turned on.”

Auckland-based Nothingbutnet’s Peter Harrison also says he is not aware of any affected sites.

“Most sites I deal with do not in fact run SSL. I don't have numbers on how many sites would be vulnerable in New Zealand, but it’s fair to assume that there are a reasonable number of unpatched machines running in New Zealand.”

Harrison says system administrators running OpenSSL should run an update to OpenSSL.

“Many Linux systems can do this by a simple one-line command and the update can be freely obtained from the internet, and doesn’t require you to agree to any additional licence terms.”

All three integrators were quick to point out number comparisons with attacks on Microsoft IIS servers.

“Compared to the infections caused by the previous IIS worms this is trivial,” says Harrison.

According to the UK-based web server information firm Netcraft Apache runs 60% of all web servers, almost twice the number of MS IIS installs.

The Nimda and Code Red worms were still holding places in the top 20 viruses detected worldwide in April by Kaspersky Labs, and according to antivirus vendor Symantec there are more than 35,000 Nimda-related attacks occurring every day on corporate networks.

Lane says last year Nimda and CodeRed affected 86,000 and 400,000 Windows servers (respectively) running Microsoft IIS.

“It is also important to note that systems compromised by Slapper were not fully compromised - the worm does not get ‘root’ or administrator access to the system, therefore the damage it can do is limited to the very small portion of the system accessible to the unprivileged Apache user.”

He says this is in “stark contrast” to the Microsoft Windows/IIS systems.

“When local access to the system is gained via a hole like that exploited by Nimda or Code Red, administrative access can be gained trivially. The ‘compartment’ based user model of Unix and Linux is fundamentally more secure in design than that employed by MS Windows.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Slapper worm

More about ApacheAsteriskCERT AustraliaDebianF-SecureIntelKasperskyLinuxMicrosoftNetcraftSymantec

Show Comments