Aliases

Net-Worm.Linux.Slapper.a (Kaspersky Lab) is also known as: Worm.Linux.Slapper.a (Kaspersky Lab), Linux/Slapper.worm.a (McAfee),   Linux.Slapper.Worm (Symantec),   Linux/Slapper-A (Sophos),   Worm:Linux/Slapper* (RAV),   ELF_SLAPPER.A (Trend Micro),   UNIX/Slapper.A (FRISK),   SRC:Malware (ALWIL),   Linux.Worm.Slapper.A (SOFTWIN),   Linux.Slapper-A (ClamAV),   Linux/Slapper (Panda),   Linux/Slapper.A (Eset)

Description added	Sep 18 2002
Behavior	Internet Worm

Technical details

"Slapper" is an Internet worm that infects Linux machines running the popular "Apache" web server software. It does that by exploiting a vulnerability in the "Secure Sockets Layer" SSL "mod_ssl" interface code of the server which was originally reported on July 30, 2002, and listed by the Computer Emergency Response Team (CERT) as the Vulnerability Note VU#102795. (http://www.kb.cert.org/vuls/id/102795)

The configurations vulnerable to the specific exploit implementation used by the worm are Intel x86 Linux Apache installations with OpenSSL older than 0.9.6e and 0.9.7-beta. Updating to one of these two versions or other more recent releases will patch the vulnerability and prevent the worm from infecting the system.

The worm source is approximately 68.4KBytes in size, and has some similarities with the "I-Worm.Scalper" reported earlier this year, which also hit Apache servers through a buffer overflow exploit.

Besides infecting more computers to spread further, the worm will act as a backdoor on the victim, and allow any potential attacker to run commands as well for launch various types of Denial-Of-Service attacks through a distributed network aintained between the infected machines.

Technical details of the "Slapper" worm

Like in the case of the older "Scalper" worm, the attacks are mounted against randomly-generated IP address classes of the format a.b.x.x, where "a" is selected from an array of 162 possible choices, "b" is a full 1-byte long random choice, and "x.x" are scanned incrementally from "0.0" up to "255.255". For each random IP address, the worm checks if it doesn't loop back to the local machine (eg. addresses of the form 127.x.x.x), then it tries to connect on port 80 and send a simple "GET /" request to check if the server runs an Apache version. Next, the worm will check if the specific Apache version reported in the HTTP headers match any of the versions it knows to infect, and if so, proceed further. In the case an Apache server was detected, but the apparent version returned is unknown to the worm, the selection for "Red-Hat 1.3.26" will be tried anyway.

The complete list of Linux distributivs with Apache versions the worm knows how to "correctly" infect is the following:

(Apache): "Gentoo", "Debian 1.3.26", "Red-Hat 1.3.6", "Red-Hat 1.3.9", "Red-Hat 1.3.12", "Red-Hat 1.3.12", "Red-Hat 1.3.19", "Red-Hat 1.3.20", "Red-Hat 1.3.26", "Red-Hat 1.3.23", "Red-Hat 1.3.22", "SuSE 1.3.12", "SuSE 1.3.17", "SuSE 1.3.19", "SuSE 1.3.20", "SuSE 1.3.23", "SuSE 1.3.23", "Mandrake 1.3.14", "Mandrake 1.3.19", "Mandrake 1.3.20", "Mandrake 1.3.23", "Slackware 1.3.26" and "Slackware 1.3.26".

So, if the web server reply includes the "Apache" string, the worm will attempt to exploit the SSL vulnerability by first "shaking hands" with the SSL server on port 443, then if the exploit was successful, it will UUENCODE a copy of its source, upload it through the hacked connection in the victim server, compile and then run it. During this process, the UUENCODED copy of the worm will be saved as "/tmp/.uubugtraq", the clear-text source of the worm as "/tmp/.bugtraq.c", and the compiled binary will be stored as "/tmp/.bugtraq".

When run on the victim server, the worm will again enter the replication cycle, looking for more hosts, and activating the backdoor component on the UDP port 2002. No provision is taken against server reboots, as the worm doesn't try to set itself up so that it would receive control every time the system is restarted.

The backdoor accepts a rather large set of commands, between them, flooding remote systems with UDP, TCP, DNS or RAW packets, running local commands, downloading a binary from a remote machine via HTTP and running it, sending mails, providing information on the configuration of the hacked machine, etc... All the communication with the backdoor is encrypted, however, the encryption is static and is probably performed only to prevent direct analysis of the traffic.

As an interesting detail, the worm will attempt to create and maintain a communication network between infected machines, each node having the ability to receive and forward commands. This allows a malevolent "master" to mount a distributed DoS attack in which the single "order" of attack is executed and passed along by all the network participants.

Another interesting detail is that the worm contains a "version" tag, which in this version of "Slapper" is set to "12.09.2002". A similar tag in the previous "Scalper" worm was "26.04.2002".

The following comments, presumably from the author can be seen inside the worm source:

 /****************************************************************************
*
 *           Peer-to-peer UDP Distributed Denial of Service (PUD)          
*
 *                         by contem@efnet                                 
*

and

 *         I am not responsible for any harm caused by this program!       
*
 *  I made this program to demonstrate peer-to-peer communication and  *
 *  should not be used in real life.  It is an education program that      
*
 *  should never even be ran at all, nor used in any way, shape or         
*
 *  form.  It is not the authors fault if it was used for any purposes     
*
 *  other than educational.                                                
*