Once a machine gets infected, the worm starts to spread to new systems. In addition, the worm contains code to create a peer-to-peer attack network, where infected machines can remotely be instructed to launch a wide variety of Distributed Denial of Service (DDoS) attacks
The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.
Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001
The worm infects the system by creating a uuencoded copy of itself to /tmp/.uubugtraq. It decodes the file to /tmp/.bugtraq.c and uses gcc compiler to produce an executable copy of itself as /tmp/.bugtraq, which is then executed.
At this point, the worm starts to scan a predefined set of Class A networks for vulnerable machines by connecting to the httpd server (port 80). If the worm can connect, it will check the content of the "Server:" header from the response. If the header contains the string "Apache", the worm will attempt to connect to the SSL server (port 443), and attempt to infect the target by using the OpenSSL vulnerability. Further details about the vulnerability are available below.
The worm also contains a backdoor that listens to UDP port 2002, and can be controlled remotely. The backdoor contains the ability to upload and execute arbitrary programs in the infected host. It also contains the functionality to perform various denial of service attacks. This backdoor is very similar to the one within the Scalper worm.