By Robert Vamosi But now that new viruses are starting to appear again after their usual summer hiatus, we're starting to see a new strain that's completely different from Nimda. These new viruses either use peer-to-peer (P2P) file-sharing networks, such as KaZaa or Morpheus, as a means to infect innocent victims, or they use P2P technology to construct worms that can communicate with one another and may someday even be resistant to antivirus measures. In the last few weeks, we've seen a spate of file-sharing viruses, as well as a Linux worm called Slapper that creates its own decentralized P2P network. Fortunately, there are ways to protect yourself from these new virus types, which I'll explain a little later. KaZaa-specific viruses Worms that spread on public file-sharing networks first started showing up this summer. According to Steven Sundermeier of Central Command, eight viruses have hit the KaZaa network since the Benjamin virus struck on May 19, 2002. Each does something a little bit different, although none are particularly destructive.
P2P viruses are particularly dangerous because when you're using a file-sharing network, you have no way of determining the integrity of a file until you download it. Perhaps a system of identifying "trustworthy" users will emerge within the file-sharing community--a peer-group certification that files on so-and-so's server are clean. The Slapper worm Another way virus writers are using P2P technology is to endow their worms with networking capabilities. Speaking earlier this summer at the Netsec 2002 security conference in San Francisco, Ryan Russell, a researcher at SecurityFocus, predicted that P2P technology might allow conventional Internet worms to update themselves--and perhaps make themselves invulnerable to antivirus software--by communicating with other infected systems to receive new code. We now have an example of this: Slapper. The Slapper worm (a.k.a. Linux.Slapper.a) attacks Linux servers running Apache by exploiting a known vulnerability in the Secure Sockets Layer (SSL) handshake process. Like the Code Red worm, Slapper scans potential victims using an invalid "http get" request on port 80/tcp. Port 80 is used for most Web traffic and therefore is not blocked by firewalls. When a system running Apache is located, Slapper attempts to send code to the SSL service. If successful, the newly infected machine compiles the code and begins scanning the Internet for another system to infect. Meanwhile, the infected system initiates its own private network, listening on port 2002 for updates or new instructions from other Slapper-infected systems.
Antivirus researchers are currently monitoring the traffic on the infected servers, looking for signs that the worm is evolving or preparing to attack a specific target. In the future, worms such as Slapper could encrypt their private networks. That would keep researchers from eavesdropping and also prevent other malicious users from hijacking the thousands of infected boxes. How to beat Slapper To prevent an Apache server from becoming infected with Slapper, the CERT Coordination Center at Carnegie-Mellon recommends you review two recent advisories, CA-2002-23 and VU#102795, for detailed vendor recommendations regarding patches. You can also disable mod_ssl and SSLv2 on your Apache server. The vulnerability exploited by the Slapper worm has been fixed as of OpenSSL version 0.9.6e. The latest version of OpenSSL is 0.9.6g. It's been a year since we've seen something as clever as Nimda, and it appears we've all been looking in the wrong places for the next big virus. Virus writers seem to be infecting systems they themselves use: IRC (Internet Relay Chat), instant messaging, and now, P2P. I predict the next major virus threat will incorporate one of these technologies or perhaps all three. Would you stop using file-sharing networks to prevent your computer from becoming infected by a worm? Do you think we'll see more P2P worms in the future? TalkBack to me!
Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know! |
 | Next steps |
 | |
| |
• Find DSL in your own area |
• Download security and encryption apps |
• Make sure your computer is up-to-date with CNET CatchUp
• Protect yourself with a firewall or an Internet security suite |
• Shopper.com's most popular security and encryption apps
• Download security and encryption apps |
• Make sure your computer is up-to-date with CNET CatchUp
• Protect yourself with a firewall or an Internet security suite |
• Shopper.com's most popular security and encryption apps
  | |||
|
