Ok, The incident analysis team over here is examining this thing. At first glance it looks reasonably sophisticated. Looks to me like it exploits the issue described as BID 5363, http://online.securityfocus.com/bid/5363. It seems to pick targets based on the "Server:" HTTP response field. Mario Van Velzen proposed a quick workaround of disabling ServerTokens or setting it to ProductOnly to turn away at least this version of the exploit until fixes can be applied. Another thing to note is that it communicates with its friends over UDP / port 2002. I'd like to request IP addresses of hosts that have been compromised or that are currently attacking systems from anyone who is comfortable sharing this information. We wish to run it through TMS (formerly known as ARIS) to see how quickly it is propagating. David Ahmad Symantec http://www.symantec.com/ On Fri, 13 Sep 2002, Ben Laurie wrote:
I have now seen a worm for the OpenSSL problems I reported a few weeks back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should be _seriously worried_.
It appears to be exclusively targeted at Linux systems, but I wouldn't count on variants for other systems not existing.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff