Security firms are tracking a new worm that is attacking Linux-based Web servers running the OpenSSL software.
The worm appears to be exploiting one of the vulnerabilities in OpenSSL that were discovered in late July. A preliminary analysis by experts at Symantec Corp. has found that the worm picks targets based on the “server:” response field and is communicating with other infected machines via a peer-to-peer network.
Upon infecting a Web server, the worm compiles itself and then connects back to the server from which it was sent. The infected machines appear to communicate with each other over UDP port 2002.
There is no report yet on whether the worm does any damage to the machines it infects, but it does scan the local network for e-mail addresses, according to Oliver Friedrichs, a senior manager with Symantecs Security Response Center in Cupertino, Calif.
“Its unique in that it communicates using a peer-to-peer network. Theres been some talk about a worm eventually doing that, but this is the first one weve actually seen,” Friedrichs said.
On July 30, The OpenSSL Project issued a security bulletin warning of four separate vulnerabilities in all versions of the software up to release 0.96d. All four flaws are buffer overruns, and all are remotely exploitable.
Version 0.96e, which was released the same day as the security bulletin, fixes the vulnerability.
Many machines running the popular Apache Web server also run OpenSSL, Friedrichs said, which means there is a large pool of potentially vulnerable machines on the Internet.
Symantec first began receiving reports of the worm on Friday morning, and although there has been a steady stream of reports since, the infection rate does not appear to be anywhere near that of the Code Red or Nimda worms of last year.