Network Worms Continue To Attack Linux
04 Oct 2002
Worm "Mighty" Intensifies the Threat Against Linux.
Following on the heals of the "Slapper" worm, which only two weeks ago was detected attacking Linux computers, comes the next outbreak, this time the work of the Linux-worm "Mighty"
. Presently Kaspersky Lab has registered over 1,600 infected systems the world over.
Many features of "Mighty" are taken from its predecessor, the network worm "Slapper". Like "Slapper", "Mighty" infects computers running Linux and the Apache Web-server and also uses the OpenSSL Security System exploit to gain access. Moreover, "Mighty" partly borrows the source code spreading method from "Slapper": to ensure compatibility with all versions of OpenSSL, one of the worm's components (sslx.c, which is responsible for penetration via the security system vulnerability) recompiles itself anew on each computer.
In addition to infecting systems, "Mighty" also sets up a backdoor utility (designed to gain unauthorized control). In turn, this utility connects with one of the remote IRC channels where it receives ill-intentioned commands, which it then executes on the infected system. In this way "Mighty" is able to leak out confidential information, corrupt important data, and also use infected machines to conduct distributed DoS attacks and other nasty activities.
To avert infection, Kaspersky Lab, above all recommends users install the latest version of OpenSSL (for versions older than 0.9.7-beta, 0.9.6e) and to update their anti-virus program databases.
The defense against "Mighty" has already been added to the Kaspersky Anti-Virus databases.
A more detailed description of the "Mighty" network worm can be found in the Kaspersky Virus Encyclopedia