The Slapper worm continued to spread quickly over the weekend, with some security experts putting the number of compromised servers as high as 6,000.
As first reported by eWeek on Friday, the worm attacks Linux machines running the Apache Web server software with the OpenSSL tools installed. It exploits a buffer overrun vulnerability in the SSL handshake process using a forged client master key. It scans the Internet for vulnerable Apache machines and tries to deduce the Linux distribution on each machine from information in the "Server:" response header, experts say.
Once it has infected a server, Slapper installs both a backdoor and a set of tools that can be used to launch a variety of distributed denial-of-service attacks. There have been some reports of infected servers being used to attack Web sites already.
The backdoor that Slapper installs accepts remote command execution from any user, without authentication. This means that any attacker who is able to locate a number of infected machines could then use them to launch a DDoS attack.
The worm is capable of launching several discrete DDoS attacks, including TCP/IP floods, UDP floods and, perhaps most troubling, DNS floods, according to an analysis by Internet Security Systems Inc.'s X-Force research team.
The worm communicates with other infected servers using a peer-to-peer network and uses UDP port 2002.
On July 30, The OpenSSL Project issued a security bulletin warning of four separate vulnerabilities in all versions of the software up to release 0.96d. All four flaws are buffer overruns, and all are remotely exploitable.
Version 0.96e, which was released the same day as the security bulletin, fixes the vulnerability.