We’ve been following credible reports that a worm propagating in the wild is breaking into servers running vulnerable versions of OpenSSL. Last month, several critical security issues, including a client-exploitable remote buffer overflow in the SSLv2 handshake process, were discovered in all OpenSSL versions prior to 0.9.6e. The worm appears to exploit this hole, although little else is known: it communicates with peers over UDP port 2002, and may have distributed denial of service capabilities. Statistics from the Internet Storm Center indicate a noticeable spike in port 2002 activity over the past few days, though reported intrusions have been mostly isolated to Europe thus far.

The worm seems to pick its targets by server banners; for Apache, you can set the ServerTokens option to “ProductOnly”
to keep it from reporting its operating system and version information. CERT’s original advisory for these vulnerabilities includes links to vendor patches, so be sure you’re updated before this worm can spread.

(N-Stalker Security Force)