Net-Worm.Linux.Mighty

Class Net-Worm
Platform Linux
Description

Technical Details

“Mighty” is an Internet worm that infects Linux machines running the popular “Apache” web server software. It does that by exploiting a vulnerability in the “Secure Sockets Layer” SSL “mod_ssl” interface code of the server which was originally reported on July 30, 2002, and listed by the Computer Emergency Response Team (CERT) as the Vulnerability Note VU#102795.

The configurations vulnerable to the specific exploit implementation used by the worm are Intel x86 Linux Apache installations with OpenSSL older than 0.9.6e and 0.9.7-beta. Updating to one of these two versions or other more recent releases will patch the vulnerability and prevent the worm from infecting the system.

The main worm replication component is about 19KB in size, and uses the exploit code from the popular “Slapper” worm.

Besides infecting more computers to spread further, the worm will also act as a backdoor on the victim system, connecting to an IRC server and joining a special channel from where it receives the orders. It’s worth noticing the backdoor component of the worm is based on the popular ‘Age of Kaiten’ IRC bot source, used in many other IRC malware.

At the time of writing of this description, the worm is reported to have infected around 1600 systems worldwide.