Reports are circulating of a Linux-targeted worm that exploits the recent OpenSSL bug in Apache mod_ssl deployments. The worm is, on the available reporting, in early stages of distribution but gaining momentum.
What is being described
The worm:
- Targets Apache mod_ssl on Linux specifically.
- Exploits the ASN.1 buffer overflow during TLS handshake.
- Installs itself on the compromised host.
- Builds a peer-to-peer network of compromised hosts (a notable structural choice).
The peer-to-peer structure is interesting. Most worms have used a centralised command-and-control approach (one master, many daemons). This one uses a P2P mesh where each compromised host can talk to others. The structure is more resilient against takedown — there is no single master to identify.
What I expect
If the reporting is accurate, this will be the first major Linux worm of 2002 and the first widely-deployed P2P-architected worm. The propagation will probably be moderate — Apache mod_ssl is widely deployed but not as widely as IIS — but the structural innovations matter.
More as the worm develops. I will write a fuller post once it is operational.