FRISK Software International


Summary of UNIX/Slapper
Alias:Linux.Slapper-A, Linux.Slapper-Worm, Apache/mod_ssl Worm, Slapper.source
Discovered: 13 Sep 2002
Definition files: 13 Sep 2002
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

Slapper is a network worm that spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.

The worm affects Linux machines that are running Apache web server with OpenSSL enabled. Apache installations cover more than 60% of public web sites on the internet. It can be estimated that less than 10% of these installations have enabled SSL services. SSL is most often used for online commerce, banking and privacy applications.



Technical Description

Once a machine gets infected, the worm starts to spread to new systems. In addition, the worm contains code to create a peer-to-peer attack network, where infected machines can remotely be instructed to launch a wide variety of Distributed Denial of Service (DDoS) attacks

The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.

Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001

VARIANT: Slapper.A

The worm infects the system by creating a uuencoded copy of itself to /tmp/.uubugtraq. It decodes the file to /tmp/.bugtraq.c and uses gcc compiler to produce an executable copy of itself as /tmp/.bugtraq, which is then executed.

At this point, the worm starts to scan a predefined set of Class A networks for vulnerable machines by connecting to the httpd server (port 80). If the worm can connect, it will check the content of the "Server:" header from the response. If the header contains the string "Apache", the worm will attempt to connect to the SSL server (port 443), and attempt to infect the target by using the OpenSSL vulnerability. Further details about the vulnerability are available below.

The worm also contains a backdoor that listens to UDP port 2002, and can be controlled remotely. The backdoor contains the ability to upload and execute arbitrary programs in the infected host. It also contains the functionality to perform various denial of service attacks. This backdoor is very similar to the one within the Scalper worm.



Removal Instructions

The worm is visible in the infected system as a process ".bugtraq". An infected system can be disinfected by terminating the worm's process, and by removing the files created into temporary directory:


        /tmp/.uubugtraq
        /tmp/.buqtraq.c
        /tmp/.bugtraq

The Apache web server must be shut down as well and the OpenSSL libary must be upgraded to a fixed version (0.9.6e or above) in order to avoid reinfection.


[Analysis: Sami Rautiainen and Mikko Hypponen, F-Secure Corporation; September 14th, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is