Apache_mod_ssl Worm AlertReference Risk Impact Affected Components
Overview This also includes a number of peer-to-peer capabilities, which allow it to communicate with other clients, and participate in a Distributed Denial of Service (DDoS) network. To perform these activities, the exploit code listens on UDP port 2002. The exploit further exhibits worm behavior in that indications are that, once it is setup, it scans and attempts to propagate by infecting other vulnerable systems. It is confirmed through various sources that this worm is in the wild and actively attacking other servers. Over 3500 IP addresses have been recorded as being the source of scanning and associated activity, according to DeepSight Threat Management System data and other sources. Details Once certain pre-conditions are met, the exploit appears to scan and target vulnerable machines. It scans for vulnerable machines in the following /8 networks: 3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239 When performing the scanning, the worm first connects to port 80 of a target machine, to determine if it can communicate to that port. It then sends the following request: GET / HTTP/1.1\r\n\r\n Since this is an invalid HTTP 1.1 request, it is missing the "Host:" parameter, a typical Apache server will respond with something similar to the following: HTTP/1.1 400 Bad Request The exploit then scans the reply for the "Server:" string. If the reply starts with Apache, the exploit judges the target to be a candidate for exploitation. The exploit also appears to contain a number of peer-to-peer features, which would allow it to communicate with a network of other infected hosts. This would allow the attacker to control a large number of infected hosts in a future DDoS attack. Symantec Security Response Patches are available for numerous operating systems and engines. The authors of the OpenSSL software have released a new version, 0.9.6e, which corrects the issue. Since the release of 0.9.6e, the authors have released a number of versions that incorporate this patch and fix other issues. Currently, the most recent version is 0.9.6g. A workaround solution has been suggested to safeguard against this exploit: If administrators are unable to install the patch, it may be possible to disable the SSL engine in the Apache Web server. This can be achieved by modifying the configuration file to remove any configuration items regarding SSL configurations. This includes, but is not limited to:
"LoadModule" directives in the configuration file. Symantec recommends that administrators keep a backup copy of the configuration file, for comparison and recovery purposes. Administrators may also disable the use of SSL version 2, which is the protocol containing the vulnerability used by this worm. Symantec recommends administrators consult their documentation for their particular product and distribution, but the following steps could prevent the use of the vulnerable SSLv2 cipher, while allowing the use of TLS or SSLv3. After making a copy of the configuration file for backup purposes, administrators can modify the "SSLCipherSuite" directive in the configuration file by either:
This can be tested using the "openssl s_client" utility, available with the OpenSSL package. Administrators can also modify the string identifying the server. Because this would change the return value in the "Server:" parameter, the exploit would not attempt to exploit and infect that host. This information can be found in the file "src/include/httpd.h". The following definitions state the vendor, product, and version number:
#define SERVER_BASEVENDOR Once these definitions are changed to custom strings, the Apache server can then be recompiled and replace the current running binary. Removal Instructions
/tmp/.uubugtraq Only the "/tmp/.bugtraq" file contains an executable binary of the worm. There does not appear to be any instructions allowing the worm to restart in the event of a system reset. NOTE: If you suspect that a system has been compromised, isolate the infected system(s) quickly to prevent further compromise of enterprise systems. Perform forensic analysis and restore the system from trusted media. Symantec Enterprise Solutions CVE This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits Copyright (c) 2002 by Symantec Corp. Disclaimer Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. |