Surge in Scans Seeking SSL Servers

Internet scanning for servers running Secure Sockets Layer (SSL) has spiked in the past week, raising suspicions that hackers may be profiling targets for future attacks. SSL encrypts sensitive information for e-commerce transactions, and its presence can indicate a high-value target for crackers seeking to steal financial data. Scans of port 443, which is used by SSL, have surged since July 15.

A similar pattern was seen in April, shortly after exploit code was published for a critical security hole in Microsoft's implementation of SSL. That scanning was followed by attacks on Australian banks in late April, and the same vulnerability was used last month to hijack Windows servers running IIS 5.0 and spread phishing trojans to visitors of the compromised sites.

Security firms are advising network administrators to install security patches for SSL servers, including a recent update for mod_ssl, which is widely used in Apache servers running OpenSSL. A security update was released July 16 to fix the vulnerability, which may allow a remote attacker to execute arbitrary code when Apache is configured to use mod_ssl and mod_proxy, according to an advisory from Gentoo Linux.

Several recent samples of malicious code submitted to the SANS Institute were adapted from code published in April that targeted the Microsoft SSL vulnerability. The group that published the exploit, The Hackers Choice, says the code has been downloaded at least 24,000 times.

While SSL servers would be expected to be closely maintained, a Netcraft sampling from last year showed that known SSL security holes remained unpatched for months after fixes were available.