Re: OpenSSL worm in the wild

From: Eric Rescorla (
Date: 09/13/02

To: Dave Ahmad <>
From: Eric Rescorla <>
Date: 13 Sep 2002 14:08:43 -0700

Eric Rescorla <> writes:
> especially
> since one could easily modify the worm to attack all servers
> or, perhaps, those which only display Product ID :)
... or maybe not.

I hadn't seen a copy of the worm yet, so I guessed from your
description that it was using the Server: value to detect who is
running downrev versions of OpenSSL. Not so.

Upon examination, it looks like the worm uses the server version to
decide what section of memory to overwrite (based on the target OS)
and server version. So, if people reconfiged their servers to not give
you this information, a worm author would either have to have the worm
try all possible exploits (not a big deal with only 20 architectures
to search) or have some other evidence as to what OS/Apache version
people were runnning.

Note that for this to be a 100% countermeasure you'd have to
reconfigure your server not to advertise Apache at all. Otherwise,
it looks to me like the worm assumes that you're running
Red Hat/Apache 1.3.23, in which case there's a real chance
that the worm will crash your server by using the wrong
overwrite offset.


[Eric Rescorla                         ]