Re: OpenSSL worm in the wild

From: Eric Rescorla (ekr@rtfm.com)
Date: 09/13/02


To: Dave Ahmad <da@securityfocus.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 13 Sep 2002 14:08:43 -0700

Eric Rescorla <ekr@rtfm.com> writes:
> especially
> since one could easily modify the worm to attack all servers
> or, perhaps, those which only display Product ID :)
... or maybe not.

I hadn't seen a copy of the worm yet, so I guessed from your
description that it was using the Server: value to detect who is
running downrev versions of OpenSSL. Not so.

Upon examination, it looks like the worm uses the server version to
decide what section of memory to overwrite (based on the target OS)
and server version. So, if people reconfiged their servers to not give
you this information, a worm author would either have to have the worm
try all possible exploits (not a big deal with only 20 architectures
to search) or have some other evidence as to what OS/Apache version
people were runnning.

Note that for this to be a 100% countermeasure you'd have to
reconfigure your server not to advertise Apache at all. Otherwise,
it looks to me like the worm assumes that you're running
Red Hat/Apache 1.3.23, in which case there's a real chance
that the worm will crash your server by using the wrong
overwrite offset.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/



Relevant Pages

  • RE: [Full-Disclosure] Red Bull Worm
    ... Subject: [Full-Disclosure] Red Bull Worm ... > against the whitehouse.gov server at a predetermined date & time. ... > from infecting them. ...
    (Full-Disclosure)
  • Re: Should ISPs send bounceback on mail to non-existent address?
    ... If a server responds with 5xx to an RCPT TO, ... This seems also to be the case to which sympatico ... Let's asume you would write a really agressiv worm. ... internet and the Exchange server running at peak CPU load. ...
    (comp.mail.misc)
  • Re: Strange Log File Entries
    ... >> my the IP address of my IIS server. ... looks like an old worm. ... > successfully blocked that worm attack. ... the commands were successful despite the 502.] ...
    (microsoft.public.inetserver.iis.security)
  • [NEWS] Continued Threat of the "Code Red" Worm
    ... Continued Threat of the "Code Red" Worm ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Server 2.0 installed ... Consistent with the security best-practice of denying all network traffic ...
    (Securiteam)
  • [NEWS] Nimda Worm Attacks Both Clients and Servers
    ... Nimda Worm Attacks Both Clients and Servers ... * from client to client via email ... * from web server to client via browsing of compromised web sites ...
    (Securiteam)