The question of the week: What is Slapper? Let me begin by telling you I am not only describing the Slapper worm, but I am also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap worm. In effect, this is just 4 different names for the same nasty worm.

On the always lucky day of Friday the 13th (of September) the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow vulnerability reported at the end of July. The next day, CERT issued an advisory CA-2002-27, the Apache/mod_ssl Worm.

A quote directly from the CERT issued advisory prior to the release of the worm:

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

By Sunday September 15th, F-Secure Corporation reported 13,000 infected servers out of "over 1,000,000 active OpenSSL installations in the public web." Businesswire gave a more in-depth view into just how F-Secure got their numbers:

During the weekend following Friday the 13th, F-Secure engineers have reverse engineered the peer-to-peer protocol that the worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.

SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format). F-Secure is maintaining a "Virus Description" of this worm with lots of interesting information.

The Linux.Slapper.Worm spreads in similar fashion to last year's Nimda and Code Red worms, by scanning for, and then infecting, vulnerable systems. Because this worm establishes peer-to-peer links among infected servers, experts fear it could create a powerful platform to launch denial-of-service attacks against virtually any target on the Internet.

Some of the more noteworthy (interesting) things thats the Slapper Worm does are similar to the Apache Scalper worm. A major difference is that Slapper creates a hierarchical network structure. The Security Focus Analysis states:

The Modap Worm, like Scalper, implements many innovative structures, including a hierarchical network structure in which it keeps track of the systems it has infected, the system that infected it, as well as a list of other infected systems and how many hops away they are. All of the internal communication between hosts infected with Modap is accomplished through an implementation of a stateful protocol transmitted over UDP.

Once the worm has infected a system and created the necessary file (below), it executes itself with at one command line parameter. If it is not executed with at least one command line parameter, then it displays an error message and does not run. Now that the worm is running, the first thing it attempts to do is bind to UDP port 2002. The bot (worm) then sends out a packet to register itself on the network [of other worms]. Now that the worm is bound to a port, it enters a daemon mode and forks and installs signal handlers for SIGCHLD and SIGHUP which point to an empty function. The worm now enters a while loop where it just scans and propagates.

The way the worm propagates is it begins by scanning for hosts that are listening on port 80. Once a system is found, it send the following string:

GET / HTTP/1.1\r\n\r\n

Since a "400 Bad Request" reply is generated, the worm now has information about the server to look at. It parses the information given with the response and determines weather or not it has just contacted an apache server. The worm checks the response string to see if the version of apache as well as the operating system are vulnerable. If the operating system or the apache version don't match anything the worm has, then it uses the default attack.

F-Secure has charts which illustrate how many hosts are/were infected at a given time. Although the count was nearing 20,000 hosts as of 17 September, the number has been drastically reduced between patching and emails to system administrators. The number is supposedly down to below 1,000 at the time of this article writing.

One of the main characteristics associated with Slapper is the file names that it creates. It creates 3 files within the /tmp directory:

/tmp/.bugtraq This is the copy of the worm that is running on the infected system.
/tmp/.bugtraq.c This is the source code to the worm that is running on the infected system.
/tmp/.uubugtraq This is the uuencoded copy of the worm that is running on the infected system. This file is also used by the worm to propagate itself to other systems.

Media References include:

RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has observed behavior different from what that tool expects.

If you have yet to apply a patch, I would strongly urge you to do so now. If reading this article has not convinced you, then go apply the patch to spite me. If you are unsure of where to obtain a patch for your version of linux, Linux Security Advisories has a list of all the advisories by vendor.

Much of the information stated in this document is available via the sources and references listed throughout this document.