Slapper worm spreads its disease

The Internet Storm Centre (ISC), the early warning system from the Sans Institute, is on yellow alert for the first time in months as the Slapper worm continues its infection of Apache web servers.

The worm was first spotted in the wild at the end of last week, entering systems by exploiting a vulnerability in the open Secure Socket Layer (SSL) library used in SSL-capable programs.

Any systems running Apache and its associated SSL module are likely to be affected on both Intel and Sparc platforms.

The Slapper worm already features in the top five most prevalent attacks around the world, notching up almost as much activity as the most common attacks - those on port 80 - in almost every continent. The worm attacks on port 2002 and connects the target machine to the rest of the infected network by the User Datagram Protocol (UDP). This army of 'zombie' machines can then be used by the hackers as a tool to attack other servers.

Slapper-infected servers have already been linked to denial of service (DoS) attacks against other machines.

It is thought that some script kiddies found the source code for a concept attack known as peer-to-peer UDP Distributed DoS (PUD) on a security site and turned it into a working worm.

The ISC has confirmed that around 6,000 servers are currently infected. But speculation on the BugTraq security mailing list suggests that numbers may be as high as 30,000.

A patch has already been released by the OpenSSL crew, with details available here.