A malicious web worm is travelling across the internet enrolling vulnerable machines into a network that some experts think will be used to attack high profile websites.

The US net security watchdog, the Computer Emergency Response Team, has issued a warning about the "Slapper" worm that has infected thousands of Linux web servers.

The worm exploits a known loophole in a popular security program and is slowly recruiting machines into its attack network.

Security experts are urging people to update software to close the loophole and check to ensure their machine has not been infected.

Huge network

Home users have little to worry about as the Slapper worm only targets servers running the popular Apache software.

This free Linux-based program is by far the most widely used web server software.

The worm exploits a vulnerability in Apache servers running software called OpenSSL. Ironically, this is used to make web transactions secure.

The worm marks something of a departure for virus writers which typically target programs made by Microsoft.

"Unix is becoming more and more popular, with Apache beating Microsoft as the web server of choice for many companies," said Graham Cluley, senior technology consultant at Sophos.

"However, this popularity attracts attention from the cybercrime community, so fans of Unix need to remember to take security seriously," he said.

Anti-virus firm F-Secure has inserted a dummy machine into the peer-to-peer network being created by Slapper and the company estimates that, so far, the worm has recruited more than 6,000 machines.

Experts speculate that the creator of the worm wants to build a large network of slave machines that can be used to trigger denial of service attacks. These flood target sites and servers with data hoping to knock them offline.

Potential threat

So far the worm seems content to build up its own network and has only been used to carry out one attack on a net service provider.

Security experts are divided on the threat that Slapper poses. Some fear that if all the recruited machines are activated they could launch devastating attacks.

But other anti-virus companies are reporting that none of their customers have been infected by the worm and say the threat it poses is low.

Like many other malicious programs, the worm is exploiting a vulnerability that has been known about for some while.

The loophole was first discovered in August and patches for it were posted soon after. Anyone using OpenSSL up to and including versions 0.9.6d or 0.9.7beta1 is strongly advised to upgrade to the newest version.