Slapper — the Linux worm exploiting the OpenSSL ASN.1 bug — is now in the wild. About 15,000 hosts compromised in the first few days. The architectural innovations are worth understanding.
What is novel
Peer-to-peer command-and-control. Slapper builds a UDP-based mesh among compromised hosts. There is no central master. Commands propagate through the mesh; the network is resilient against any single takedown.
Linux-specific. Slapper targets Apache mod_ssl on Linux. Other operating systems running Apache mod_ssl are not vulnerable (the ASN.1 exploit relies on Linux-specific memory layout details).
DDoS-capable. The mesh can be commanded to launch coordinated DDoS attacks. The capacity scales with the size of the mesh.
What this teaches
Peer-to-peer architectures are now operational. The takedown technique that has worked against centralised botnets (identify and disrupt the master) does not work against P2P architectures. Defenders need new techniques.
Linux is a serious target. Five years ago, Linux worms were rare. Today, Ramen, Lion, and now Slapper have established the category.
Library vulnerabilities remain serious. OpenSSL is the underlying library; the worm exploits it across all dependent applications.
What operators should do
Patch OpenSSL. Restart all dependent services. Audit for evidence of compromise (P2P traffic patterns are distinctive).
More as the worm develops.