Content

Linux/Slapper.worm.a

Type
Virus
SubType
Internet Worm
Discovery Date
09/13/2002
Length
68,335 bytes (bugtraq.c)
Minimum DAT
4223 (09/18/2002)
Updated DAT
4251 (03/05/2003)
Minimum Engine
5.1.00
Description Added
09/16/2002
Description Modified
09/25/2002 3:27 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This worm spreads over Apache with mod_ssl installation on many Linux platforms using a previously disclosed vulnerability in the OpenSSL library, up to, and including, versions 0.9.6d and 0.9.7 beta 1. It is a modified derivative of the BSD/Scalper worm from which it inherits the propagation strategy. It scans an entire class B subnet created by choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

The worm only attacks specific Linux distributions by sending an initial http request on port 80 and examining the Server: header response. Only if the target server is running one of these distributions the worm proceeds with attacking port 443 (https). Target distributions are:

Linux dist Apache dist
Gentoo unknown
Debian 1.3.26
Red-Hat 1.3.6 1.3.9 1.3.12 1.3.19 1.3.20 1.3.26 1.3.23 1.3.22
SuSE 1.3.12 1.3.17 1.3.19 1.3.20 1.3.23
Mandrake 1.3.14 1.3.19 1.3.20 1.3.23
Slackware 1.3.26

Although only these distributions are known to be attacked by the Slapper worm the openSSL vulnerability may affect other platforms as well and new variants may have a broader target range. Note that the vulnerability is not related to the Apache web server or to mod_ssl. To fix the vulnerability it is recommended that users update OpenSSL to the latest version.

On a vulnerable system, the worm uploads itself in the form of uuencoded source file, decodes and then compiles the source into an ELF binary. This ELF binary is detected as Unix/Scalper.worm.gen (it does bear certain similarity to BSD/Scalper.worm so they are detected generically). The worm relies on the existence and accessibility of a local copy of C compiler. The technique of local recompilation is used to circumvent any potential instability issues when running a Linux binary on different Linux distributions/flavors. The name and location of the encoded file, the decoded source and binary files depends on the worm variant is given in "Symptoms".

The infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. Any command received by one computer is retransmitted to the other members of the worm network.

Commands received from the P2P network include are:

  • ip4, ip6, tcp, syn, udp, dns flooding
  • Scan the file system for valid email
  • Produce multiple copies of itself on the filesystem

    • Symptoms

    Presence of the following files:

    • /tmp/bugtraq.c (usually 68,335 bytes)
    • /tmp/bugtraq
    • /tmp/uubugtraq

    Method of Infection

    This Slapper variant uses the following methods:

    • P2P: port 2002 udp is used for control instructions
    • Files: /tmp/bugtraq.c (source) - /tmp/.uubugtraq (uuencoded) - /tmp/.bugtraq (bin)
    • Capabilities: tcp udp dns flooding, scan fs for emails

    Removal

    Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

    You need to inspect the contents of 'crontab' file and remove unwanted entries.

    It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

    Administrators should regularly check for availability of important security updates/patches.

    Recommended links:
    Caldera
    Debian
    FreeBSD
    Redhat
    Sun
    SuSe

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • Apache/Mod_ssl worm

    Characteristics

    Characteristics -

    This worm spreads over Apache with mod_ssl installation on many Linux platforms using a previously disclosed vulnerability in the OpenSSL library, up to, and including, versions 0.9.6d and 0.9.7 beta 1. It is a modified derivative of the BSD/Scalper worm from which it inherits the propagation strategy. It scans an entire class B subnet created by choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.

    The worm only attacks specific Linux distributions by sending an initial http request on port 80 and examining the Server: header response. Only if the target server is running one of these distributions the worm proceeds with attacking port 443 (https). Target distributions are:

    Linux dist Apache dist
    Gentoo unknown
    Debian 1.3.26
    Red-Hat 1.3.6 1.3.9 1.3.12 1.3.19 1.3.20 1.3.26 1.3.23 1.3.22
    SuSE 1.3.12 1.3.17 1.3.19 1.3.20 1.3.23
    Mandrake 1.3.14 1.3.19 1.3.20 1.3.23
    Slackware 1.3.26

    Although only these distributions are known to be attacked by the Slapper worm the openSSL vulnerability may affect other platforms as well and new variants may have a broader target range. Note that the vulnerability is not related to the Apache web server or to mod_ssl. To fix the vulnerability it is recommended that users update OpenSSL to the latest version.

    On a vulnerable system, the worm uploads itself in the form of uuencoded source file, decodes and then compiles the source into an ELF binary. This ELF binary is detected as Unix/Scalper.worm.gen (it does bear certain similarity to BSD/Scalper.worm so they are detected generically). The worm relies on the existence and accessibility of a local copy of C compiler. The technique of local recompilation is used to circumvent any potential instability issues when running a Linux binary on different Linux distributions/flavors. The name and location of the encoded file, the decoded source and binary files depends on the worm variant is given in "Symptoms".

    The infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. Any command received by one computer is retransmitted to the other members of the worm network.

    Commands received from the P2P network include are:

  • ip4, ip6, tcp, syn, udp, dns flooding
  • Scan the file system for valid email
  • Produce multiple copies of itself on the filesystem

    • Symptoms

    Symptoms -

    Presence of the following files:

    • /tmp/bugtraq.c (usually 68,335 bytes)
    • /tmp/bugtraq
    • /tmp/uubugtraq

    Method of Infection

    Method of Infection -

    This Slapper variant uses the following methods:

    • P2P: port 2002 udp is used for control instructions
    • Files: /tmp/bugtraq.c (source) - /tmp/.uubugtraq (uuencoded) - /tmp/.bugtraq (bin)
    • Capabilities: tcp udp dns flooding, scan fs for emails

    Removal -

    Removal -

    Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

    Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

    You need to inspect the contents of 'crontab' file and remove unwanted entries.

    It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

    Administrators should regularly check for availability of important security updates/patches.

    Recommended links:
    Caldera
    Debian
    FreeBSD
    Redhat
    Sun
    SuSe

    Variants

    Variants -

      N/A