OpenSSL worm in the wild
I have now seen a worm for the OpenSSL problems I reported a few weeks back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should be _seriously worried_. It appears to be exclusively targeted at Linux systems, but I wouldn't count on variants for other systems not existing. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Ok, The incident analysis team over here is examining this thing. At first glance it looks reasonably sophisticated. Looks to me like it exploits the issue described as BID 5363, http://online.securityfocus.com/bid/5363. It seems to pick targets based on the "Server:" HTTP response field. Mario Van Velzen proposed a quick workaround of disabling ServerTokens or setting it to ProductOnly to turn away at least this version of the exploit until fixes can be applied. Another thing to note is that it communicates with its friends over UDP / port 2002. I'd like to request IP addresses of hosts that have been compromised or that are currently attacking systems from anyone who is comfortable sharing this information. We wish to run it through TMS (formerly known as ARIS) to see how quickly it is propagating. David Ahmad Symantec http://www.symantec.com/ On Fri, 13 Sep 2002, Ben Laurie wrote:
I have now seen a worm for the OpenSSL problems I reported a few weeks back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should be _seriously worried_.
It appears to be exclusively targeted at Linux systems, but I wouldn't count on variants for other systems not existing.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
My RH7.2 machine was hit by this worm at 9PM Australian EST Sunday night (6AM US East Coast time not counting summertime) and I had not noticed mention of it on BugTraq. Web searches found no mention of it, but the worm arrives as nicely written source in /tmp/, so I figured it out, turned off SSL and rebooted. About 6 hours later, a CERT page appeared and I expected this to be announced on BugTraq, but since it hasn't yet, here is the URL for the "Apache/mod_ssl worm, linux.slapper.worm and bugtraq.c worm.": http://www.cert.org/advisories/CA-2002-27.html It depends on the SSL vulnerabilities described on 30 July which I had erroneously not dealt with on my machine: http://www.cert.org/advisories/CA-2002-23.html "Linux.slapper" indeed! My 56k link to the Net was flooded with UDP port 2002 packets from other machines. The financial cost of this over a few days at ~USD$0.09 a Megabyte would have been serious and the link almost unusable, but my ISP (Telstra Internet) quickly responded to my 3AM request and filtered UDP port 2002 at their router. - Robin http://www.firstpr.com.au http://fondlyandfirmly.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
participants (3)
-
Ben Laurie -
Dave Ahmad -
Robin Whittle