Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

What is Slapper? Print E-mail
User Rating:      How can I rate this item?
Features The question of the week: What is Slapper? Let me begin by telling you I am not only describing the Slapper worm, but I am also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap worm. In effect, this is just 4 different names for the same nasty worm.

On the always lucky day of Friday the 13th (of September) the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow vulnerability reported at the end of July. The next day, CERT issued an advisory CA-2002-27, the Apache/mod_ssl Worm.

A quote directly from the CERT issued advisory prior to the release of the worm:

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

By Sunday September 15th, F-Secure Corporation reported 13,000 infected servers out of "over 1,000,000 active OpenSSL installations in the public web." Businesswire gave a more in-depth view into just how F-Secure got their numbers:

During the weekend following Friday the 13th, F-Secure engineers have reverse engineered the peer-to-peer protocol that the worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.

SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format). F-Secure is maintaining a "Virus Description" of this worm with lots of interesting information.

The Linux.Slapper.Worm spreads in similar fashion to last year's Nimda and Code Red worms, by scanning for, and then infecting, vulnerable systems. Because this worm establishes peer-to-peer links among infected servers, experts fear it could create a powerful platform to launch denial-of-service attacks against virtually any target on the Internet.

Some of the more noteworthy (interesting) things thats the Slapper Worm does are similar to the Apache Scalper worm. A major difference is that Slapper creates a hierarchical network structure. The Security Focus Analysis states:

The Modap Worm, like Scalper, implements many innovative structures, including a hierarchical network structure in which it keeps track of the systems it has infected, the system that infected it, as well as a list of other infected systems and how many hops away they are. All of the internal communication between hosts infected with Modap is accomplished through an implementation of a stateful protocol transmitted over UDP.

Once the worm has infected a system and created the necessary file (below), it executes itself with at one command line parameter. If it is not executed with at least one command line parameter, then it displays an error message and does not run. Now that the worm is running, the first thing it attempts to do is bind to UDP port 2002. The bot (worm) then sends out a packet to register itself on the network [of other worms]. Now that the worm is bound to a port, it enters a daemon mode and forks and installs signal handlers for SIGCHLD and SIGHUP which point to an empty function. The worm now enters a while loop where it just scans and propagates.

The way the worm propagates is it begins by scanning for hosts that are listening on port 80. Once a system is found, it send the following string:

GET / HTTP/1.1\r\n\r\n

Since a "400 Bad Request" reply is generated, the worm now has information about the server to look at. It parses the information given with the response and determines weather or not it has just contacted an apache server. The worm checks the response string to see if the version of apache as well as the operating system are vulnerable. If the operating system or the apache version don't match anything the worm has, then it uses the default attack.

F-Secure has charts which illustrate how many hosts are/were infected at a given time. Although the count was nearing 20,000 hosts as of 17 September, the number has been drastically reduced between patching and emails to system administrators. The number is supposedly down to below 1,000 at the time of this article writing.

One of the main characteristics associated with Slapper is the file names that it creates. It creates 3 files within the /tmp directory:

/tmp/.bugtraq This is the copy of the worm that is running on the infected system.
/tmp/.bugtraq.c This is the source code to the worm that is running on the infected system.
/tmp/.uubugtraq This is the uuencoded copy of the worm that is running on the infected system. This file is also used by the worm to propagate itself to other systems.

Media References include:

RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has observed behavior different from what that tool expects.

If you have yet to apply a patch, I would strongly urge you to do so now. If reading this article has not convinced you, then go apply the patch to spite me. If you are unsure of where to obtain a patch for your version of linux, Linux Security Advisories has a list of all the advisories by vendor.

Much of the information stated in this document is available via the sources and references listed throughout this document.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.