[windows2000] Virus Alert: Slapper targets Linux Apache

  • From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
  • Date: Mon, 16 Sep 2002 16:35:53 -0400

For those running Apach Servers....TAKE HEED!

Subject: LiveSecurity | Virus Alert: Slapper targets Linux Apache



September 16, 2002

NOTE: This e-mail was sent from an unattended mailbox, so
please do not reply to it. Our contact information appears at 
the end of this e-mail.

Some URLs in the article below may wrap to a second line. When that
occurs, clicking on them does not work. To follow a multi-line link,
please copy and paste its parts into your browser's address window
to reassemble it into a working URL. For an easier-to-read HTML
version of this article with live links, go to:



Discovered September 13, Slapper is a new Linux-based worm that
takes advantage of past OpenSSL vulnerabilities described in our
July 30 Information Alert 
Slapper is not your normal e-mail-based worm. Rather, it targets
Linux Apache servers, the most popular Web servers on the Internet,
and creates what could best be described as a peer-to-peer network
of zombie servers that the virus author can use in Distributed
Denial of Service (DDoS) attacks.

Slapper had already infected over 3500 servers when Symantec posted
this advisory: 
A report from F-Secure 
updated Monday morning stated 11,200 systems had been infected,
indicating that the worm is spreading rapidly. An advisory
from Internet Security Systems (ISS) reports that the DDoS features
of the worm have already been used to attack and disable high-
profile targets.

Slapper begins its attack looking for Web servers by scanning ranges
of IP addresses on TCP port 80. When it finds a Web server, the worm
sends a purposely invalid HTTP GET request, hoping that the Web
server will reply with an error message. The error message tells
Slapper whether or not it has found a susceptible Apache server.

When Slapper finds a vulnerable server, it then sends a specially-
crafted, overly-long string to the server on the SSL port (TCP 443).
If you have not patched your server for the OpenSSL vulnerability,
Slapper gains root access using this exploit. Then it copies itself
to your machine as source code (/tmp/.bugtraq.c), and compiles
itself locally (/tmp/.bugtraq). Uploading itself as source rather
than as an executable helps the worm ensure stability regardless of
which flavor of Linux it encounters. Once Slapper has infected your
server, it starts scanning for more vulnerable servers on the
Internet and repeats the infection process.

Besides spreading itself, Slapper also installs something like a
peer-to-peer service on your server, listening on UDP port 2002. The
virus author can send commands to this port to do the following:

* Execute code on your server
* Execute both TCP and TCP IPv6 flood attacks
* Execute UDP flood attacks
* Execute DNS flood attacks
* Search your machine for all its stored e-mail addresses
* Send messages to other zombie machines in Slapper's peer-to-
  peer network

In short, once Slapper has infected your machine the virus author
gains total control and can use your server in DDoS attacks.


This is not an email-borne worm. Slapper only attacks Linux-based,
Apache Web servers. If you use a Linux Apache server and followed
the advice in our July 30 Information Alert 
you're not vulnerable to Slapper infection. Otherwise, upgrade to
the latest version of OpenSSL immediately.

Administrators can also mitigate the chance of infection by
disabling Apache's SSL features if not used. Refer to the directions
in the "Recommendations" section of ISS's advisory for details

Finally, most anti-virus vendors have released engine updates to
detect Slapper. Administrators should contact their anti-virus
vendor for the latest virus definitions.

-- Suggestions for SOHO and Firebox users

Slapper infects using normal Web and Secure Web traffic. If you have
a secure Web server, you must allow this traffic for clients to
access your Web site. Therefore, the solutions above are your
primary recourse. However, both the SOHO and Firebox deny incoming
UDP port 2002 by default. As long as you have not added a custom
service allowing this port, an attacker cannot use your Web server
in a DDoS attack based on a Slapper infection.

-- Suggestions for ServerLock and AppsLock/Web users

Currently, Slapper only works on Linux machines, and thus would not
affect servers protected by ServerLock. However, Slapper is a
variant of a previous worm and, like most Linux applications, is
easily modified. If a variant of Slapper emerges which works on
Solaris or Windows machines, we will alert you. In any case,
ServerLock prevents your critical files from being damaged by
Slapper or any other worm. ##

Credits: this alert researched and written by Corey Nachreiner.

To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts:

  • » [windows2000] Virus Alert: Slapper targets Linux Apache