[CTS] LINUX WORM SLAPS APACHE WEB ADMINS
- From: "Charles R. Buchanan" <crbgfblab@xxxxxxxxxxxxx>
- To: "Computertalk Mailing List" <computertalkshop@xxxxxxxxxxxxx>
- Date: Mon, 16 Sep 2002 14:44:57 -0700
VIRUS ALERT
SLAPPER:
LINUX WORM SLAPS APACHE WEB ADMINS
DATE:
September 16, 2002
Some URLs in the article below may wrap to a second line. When that
occurs, clicking on them does not work. To follow a multi-line link,
please copy and paste its parts into your browser's address window
to reassemble it into a working URL. For an easier-to-read HTML
version of this article with live links, go to:
https://www3.watchguard.com/archive/showhtml.asp?pack=135184
---------------------------------------------------------------
ABOUT THE VIRUS
Discovered September 13, Slapper is a new Linux-based worm that
takes advantage of past OpenSSL vulnerabilities described in our
July 30 Information Alert
<https://www3.watchguard.com/archive/showhtml.asp?pack=135151>.
Slapper is not your normal e-mail-based worm. Rather, it targets
Linux Apache servers, the most popular Web servers on the Internet,
and creates what could best be described as a peer-to-peer network
of zombie servers that the virus author can use in Distributed
Denial of Service (DDoS) attacks.
Slapper had already infected over 3500 servers when Symantec posted
this advisory:
<http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm
.html>.
A report from F-Secure
<http://www.internetwk.com/security02/INW20020916S0001>
updated Monday morning stated 11,200 systems had been infected,
indicating that the worm is spreading rapidly. An advisory
<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130>
from Internet Security Systems (ISS) reports that the DDoS features
of the worm have already been used to attack and disable high-
profile targets.
Slapper begins its attack looking for Web servers by scanning ranges
of IP addresses on TCP port 80. When it finds a Web server, the worm
sends a purposely invalid HTTP GET request, hoping that the Web
server will reply with an error message. The error message tells
Slapper whether or not it has found a susceptible Apache server.
When Slapper finds a vulnerable server, it then sends a specially-
crafted, overly-long string to the server on the SSL port (TCP 443).
If you have not patched your server for the OpenSSL vulnerability,
Slapper gains root access using this exploit. Then it copies itself
to your machine as source code (/tmp/.bugtraq.c), and compiles
itself locally (/tmp/.bugtraq). Uploading itself as source rather
than as an executable helps the worm ensure stability regardless of
which flavor of Linux it encounters. Once Slapper has infected your
server, it starts scanning for more vulnerable servers on the
Internet and repeats the infection process.
Besides spreading itself, Slapper also installs something like a
peer-to-peer service on your server, listening on UDP port 2002. The
virus author can send commands to this port to do the following:
* Execute code on your server
* Execute both TCP and TCP IPv6 flood attacks
* Execute UDP flood attacks
* Execute DNS flood attacks
* Search your machine for all its stored e-mail addresses
* Send messages to other zombie machines in Slapper's peer-to-
peer network
In short, once Slapper has infected your machine the virus author
gains total control and can use your server in DDoS attacks.
WHAT YOU CAN DO
This is not an email-borne worm. Slapper only attacks Linux-based,
Apache Web servers. If you use a Linux Apache server and followed
the advice in our July 30 Information Alert
<https://www3.watchguard.com/archive/showhtml.asp?pack=135151>,
you're not vulnerable to Slapper infection. Otherwise, upgrade to
the latest version of OpenSSL immediately.
Administrators can also mitigate the chance of infection by
disabling Apache's SSL features if not used. Refer to the directions
in the "Recommendations" section of ISS's advisory for details
<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130>..
Finally, most anti-virus vendors have released engine updates to
detect Slapper. Administrators should contact their anti-virus
vendor for the latest virus definitions.
-- Suggestions for SOHO and Firebox users
Slapper infects using normal Web and Secure Web traffic. If you have
a secure Web server, you must allow this traffic for clients to
access your Web site. Therefore, the solutions above are your
primary recourse. However, both the SOHO and Firebox deny incoming
UDP port 2002 by default. As long as you have not added a custom
service allowing this port, an attacker cannot use your Web server
in a DDoS attack based on a Slapper infection.
-- Suggestions for ServerLock and AppsLock/Web users
Currently, Slapper only works on Linux machines, and thus would not
affect servers protected by ServerLock. However, Slapper is a
variant of a previous worm and, like most Linux applications, is
easily modified. If a variant of Slapper emerges which works on
Solaris or Windows machines, we will alert you. In any case,
ServerLock prevents your critical files from being damaged by
Slapper or any other worm. ##
Credits: this alert researched and written by Corey Nachreiner.
---
Look OUT you varmits, This msg is Virus Free!
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002
---------------------------------------------------------------------------
-----
Computer Talk Shop http://www.computertalkshop.com
Un-subscribe/Vacation, http://szaroconsulting.com/cts/list_options.htm
List HowTo: http://szaroconsulting.com/cts/faq
To join Computer Talk Shop's off topic list, please goto:
http://szaroconsulting.com/cts/other_cts_lists.htm
---------------------------------------------------------------------------
------
Other related posts:
