Slapper attacks Linux/Apache Web servers and can turn machines into denial-of-service zombies.

The so-called Linux.Slapper.Worm made its debut last weekend, exploiting a secure socket layer (SSL) vulnerability in Linux machines running the Apache Web server. As "Tech Live" reports tonight, the worm infected 3,500 machines last Friday.

Once installed, Slapper scans for other vulnerable machines using an engine that generates random IP addresses. While resident on a victimized machine, Slapper can mount a distributed denial-of-service attack and has been launching such attacks over the weekend.

According to a press release issued by the Internet Storm Center, the attacks have targeted the DNS servers of a large unnamed ISP. This type of DNS attack could prevent users of the targeted ISP from accessing websites.

Slapper is reminiscent of last year's infamous Code Red worm, a malicious program that exploited a security hole in Microsoft's Internet Information Server software to launch distributed denial-of-service attacks. Code Red has infected several hundred thousand machines since it first launched in July 2001.

Who's affected by Slapper

The worm affects Apache servers running on the SuSe, Mandrake, Red Hat, Slackware, and Debian flavors of Linux.

Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, and Macintosh machines are not affected.

How it works

Like the Code Red worm, Slapper scans for susceptible new machines using port 80, the conduit through which a browser accesses Internet content.

Once the virus finds a vulnerable machine, it downloads and executes its code on the new victim. Then the process starts all over as the new machine begins scanning for other vulnerable machines. If infected machines receive a denial-of-service instruction, they could begin flooding a target network, server, or website with data requests, shutting it down and slowing the Internet.

Apache market share

Apache's market share in August 2002 was more than double Microsoft's, according to British firm Netcraft. Apache runs 63.5 percent of all websites. Microsoft's IIS runs only 25.3 percent of servers, while other applications make up the rest, according to Netcraft.

Netcraft says that 32,400 Linux servers are running Apache, putting 20 percent of the server market at risk.

Servers that have patched the SSL vulnerability cannot be compromised.

Vulnerability warning reported earlier

On July 30 the Computer Emergency Response Team (CERT) Coordination Center issued a warning about the vulnerability that allows the worm to infiltrate Linux machines. In another comparison to Code Red, the SSL vulnerability stems from a buffer overflow that could be used by a remote attacker to execute arbitrary code on the target system.

CERT has also issued an advisory about the Slapper worm, which it calls the Apache/mod_ssl worm.

Slapping down Slapper

Patch information and virus-removal instructions can be found at the CERT site.

System administrators who have SSL servers based on Apache and OpenSSL should upgrade to prevent infection.

For now, Symantec rates the worm as a two (five is Symantec's most serious rating) because distribution is still limited and damage is so far minimal. But on Friday Symantec reported 1,500 new Slapper infections in a 12-hour period.