Linux/Slapper-A

Discussion in 'malware problems & news' started by FanJ, Sep 14, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: Linux/Slapper-A
    Type: Linux worm
    Date: 14 September 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description
    Linux/Slapper-A is a worm which tries to exploit a buffer overflow vulnerability in the OpenSSL component of SSL-enabled Apache web servers. Once active, the worm can be used as a backdoor to start up a range of denial-of-service attacks.

    Linux/Slapper-A spreads between systems via TCP port 443 (SSL). Before connecting to this port, the worm connects to TCP port 80 (HTTP) in order to try to customise its attack for specific Apache versions. If a web server other than Apache (or which identifies itself as other than Apache) is found, the worm will not attempt to infect.

    The worm looks for:

    Red Hat running Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23 and 1.3.26.

    SuSE running Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23.

    Mandrake running Apache 1.3.14, 1.3.19, 1.3.20, 1.3.23.

    Slackware running Apache 1.3.26.

    Debian running Apache 1.3.26.

    Gentoo running any version of Apache.

    If the system distribution or Apache version cannot be determined, the worm assumes Red Hat running Apache 1.3.23.

    Linux/Slapper-A connects via TCP port 443 (SSL) and tries to launch a shell (/bin/sh) on the remote system by exploiting a buffer overflow. The flaw in OpenSSL which allows Linux/Slapper-A to spread was announced and fixed in an OpenSSL Security Advisory of 30 July 2002.

    If Linux/Slapper-A successfully breaks into its victim, the worm injects a shell script into the remote shell it has launched. The shell script contains a uuencoded copy of the worm's own source code. The script decodes this source code into the file /tmp/.bugtraq.c, compiles it using gcc into the executable file /tmp/.bugtraq and then executes it. A daemon process called .bugtraq will be visible on infected computers.

    Note that the Linux/Slapper-A worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.

    Once active, Linux/Slapper-A opens up a backdoor which can be contacted via UDP port 2002. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as: executing arbitrary commands; creating TCP floods; creating DNS floods and searching for email addresses on disk.



    Recovery
    Please read the instructions for removing worms.
    Search for and kill any running processes named .bugtraq.



    More information about Linux/Slapper-A can be found at
    http://www.sophos.com/virusinfo/analyses/linuxslappera.html
     
    FanJ, Sep 14, 2002
    #1
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    F-Secure reverse engineered worms network protocol -- real-time information on number and location of infected computers

    The Linux.Slapper worm was first seen on Friday the 13th. Since then it has infected thousands of web servers around the world and continues to spread.
    What sets it apart from other worms is its peer-to-peer networking capability, which the worm author may utilize to take over any or all of the infected servers. This was apparently designed to launch distributed
    denial-of-service attacks with the worm, but it also results in a situation where anybody can take over an infected machine and do practically anything with it.

    The Slapper is representative of the new breed of worms and viruses as it is as much an attack tool as it is a quickly spreading worm.

    During the weekend following Friday the 13th, F-Secure engineers have reverse engineered the peer-to-peer protocol that the worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

    F-Secure's Global Slapper Information Center provides regularly updated information on the spread of the virus and numbers of infected servers categorized by the top-level domain. F-Secure is also sending a warning to
    the administrators of infected systems based on their IP addresses.

    A free version of F-Secure Anti-Virus for Linux will also be made available to the administrators of infected systems. The license allows the product to be used in a limited fashion to remove the worm from the system.

    F-Secure is also contacting the national authorities in order to alert the administrators of infected systems. It is imperative that the servers are cleaned and patched to prevent future infections as soon as possible - both
    to stop the spreading of the worm and to prevent unauthorised access to the infected servers.

    Global Slapper Information Center can be found from:
    http://www.f-secure.com/slapper/

    Situation on Sunday 15th of September 2002, at 17:00 GMT

    By Sunday evening, the Linux.Slapper worm had been in circulation for less than 40 hours. In this time, the number of infected servers has grown from 0 to over 6000. For reference, Code Red - which is known as the worst web worm so far - managed to infect only a couple of hundred servers within similar time frame. Code Red went on to infect over 300,000 web servers during its peak in July 2001 and is still alive today. It is estimated that there are
    over 1,000,000 active OpenSSL installations in the public web. A very big part of those machines has not yet been patched to close this hole, and are thus prone for infection by the Slapper worm.

    The worm infects unprotected Linux machines that are running Apache web server with OpenSSL enabled. Uniquely, the worm spreads in C source code format, recompiling itself on every infected machine.

    Detailed technical description of the worm as well as a screenshot are available in the Global Slapper Information Center in http://www.f-secure.com/slapper/
     
    Paul Wilders, Sep 15, 2002
    #2
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    WOW!
    The sky really is falling.
    Makes ya wonder where all this is going huh? These guys just keep getting nastier and nastier. :mad:
     
    root, Sep 15, 2002
    #3
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    One wonders with all that creativity and knowledeability why they don't build a nice secure new OS for the world and make real money replacing windows.
    Windows has it's name from all those peeping holes probably; else it had been bunker or such a name.
     
    Jooske, Sep 15, 2002
    #4
  5. MyNethingyman

    MyNethingyman Guest

    MyNethingyman, Sep 16, 2002
    #5
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    ..apply the available patch. ;)

    regards.

    paul
     
    Paul Wilders, Sep 17, 2002
    #6
  7. FanJ

    FanJ Guest

    FanJ, Sep 17, 2002
    #7
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Global Slapper Worm Information Center

    Updated: Monday 23rd of September, 08:20 GMT


    NEWS UPDATE ON SLAPPER VARIANTS
    Two new variants of Slapper, "Cinik" and "Unlock" have been found over the weekend.

    For more information, see the virus description.

    As both Cinik and Unlock versions use the same vulnerability as the original Slapper worm, most of the potential targets for them have been updated and patched already to prevent infection.
    http://www.f-secure.com/slapper/

    ______________________________________
    A new variant of Slapper known as "Cinik" was found on Monday the 23rd of September 2002.

    This is slightly modified variant of Slapper.A. It uses port 1978 instead of port 2002 and the filename of the worm has been changed to "cinik.c".


    __________________________________________

    Another variant "Unlock" was found on Sunday the 22nd of September 2002.

    This variant uses port 4156 instead of port 2002 and the filename of the worm has been changed to "unlock.c".
     
    Primrose, Sep 23, 2002
    #8
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    A suspect has been arrested on suspicion of authoring the Slapper worm.
    But although the threat of the worm seems to have been shortlived, a new variant is already set to take up where its predecessor left off...

    more: http://www.vnunet.com/News/1135274


    Technodrome
     
    Technodrome, Sep 23, 2002
    #9
  10. FanJ

    FanJ Guest

    Re:Linux/Slapper-B

    Name: Linux/Slapper-B
    Aliases: Worm.Linux.Slapper, Linux/Slapper.worm
    Type: Linux worm
    Date: 24 September 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Note: This IDE file contains detection for both Linux/Slapper-B
    and Linux/Slapper-C.

    Description
    Linux/Slapper-B is a variant of Linux/Slapper-A and is a worm which tries to exploit a buffer overflow vulnerability in the OpenSSL component of SSL-enabled Apache web servers. Once active, the worm can be used as a backdoor to start up a range of denial-of-service attacks.

    Linux/Slapper-B spreads between systems via TCP port 443 (SSL). Before connecting to this port, the worm connects to TCP port 80 (HTTP) in order to try to customise its attack for specific Apache versions. If a web server other than Apache (or which identifies itself as other than Apache) is found, the worm will not attempt to infect.

    The worm looks for:

    Red Hat running Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23 and 1.3.26.

    SuSE running Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23.

    Mandrake running Apache 1.3.14, 1.3.19, 1.3.20, 1.3.23.

    Slackware running Apache 1.3.26.

    Debian running Apache 1.3.26.

    Gentoo running any version of Apache.

    If the system distribution or Apache version cannot be determined, the worm assumes Red Hat running Apache 1.3.23.

    Linux/Slapper-B connects via TCP port 443 (SSL) and tries to launch a shell (/bin/sh) on the remote system by exploiting a buffer overflow. The flaw in OpenSSL which allows Linux/Slapper-B to spread was announced and fixed in an OpenSSL Security Advisory of 30 July 2002.

    If Linux/Slapper-B successfully breaks into its victim, the worm injects a shell script into the remote shell it has launched. The shell script contains a uuencoded copy of the worm's own source code. The script decodes this source code into the file /tmp/.unlock.c, compiles it using gcc into the executable file /tmp/.unlock and then executes it. A daemon process called .unlock will be visible on infected computers.

    Note that the Linux/Slapper-B worm depends on the presence of the gcc compiler on victim computers, and also requires that the compiler be executable by the Apache user. Sophos recommends removing, or limiting access to, the compiler on production web servers.

    Once active, Linux/Slapper-B opens up a backdoor which can be contacted via UDP port 4156. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as: executing arbitrary commands; creating TCP floods; creating DNS floods and searching for email addresses on disk.

    Further information from Sophos about how to protect against the Slapper family of worms is available here.


    Recovery
    Please read the instructions for removing worms.
    Search for and kill any running processes named:
    .unlock

    Delete these files, if they exist:
    /tmp/.unlock
    /tmp/.unlock.c
    /tmp/.unlock.uu
    /tmp/.update.c
    /tmp/update



    More information about Linux/Slapper-B can be found at
    http://www.sophos.com/virusinfo/analyses/linuxslapperb.html
     
    FanJ, Sep 24, 2002
    #10
  11. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Re:Linux/Slapper-A --Cure has been found!

    :) Hello Everyone! This news article reads very much like Forum Admin's posting of September 15, 2002 except now F-Secure has a cure for it! See below.

    F-Secure Plays Key Role In Slapping Down Slapper Worm
    Helsinki, Finland - September 25, 2002

    The threat of the Linux Slapper worm has been nullified by proactive anti-virus work by specialists at F-Secure. In what is believed to be the first action of its kind by an anti-virus company, F-Secure was able to identify exactly which Web servers were being infected as each infection happened, send a warning to the administrators of the infected systems, and offer a free version of F-Secure Anti-Virus for LinuxTM to remove the worm from their systems.

    Read More.....

    This is good business and good community relations for everyone! Well done!

    Note: The above article is for informational purposes only (FYI) and not to be construed with expert advice. (I don't believe everything I read. Nor should you.) Thanks.
     
    Prince_Serendip, Sep 25, 2002
    #11
  12. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Re:Linux/Slapper-A --Cure has been found!

    I do commend F-Secure for taking that action, but believe they have overstated the uniqueness of that approach as well as it's effectiveness.

    I've been detecting worm infections for over two years now and now send upwards of 100,000 notification email/month...so this approach is certainly not new.

    Also, there is no *reliable* way to identify the administrators of such systems as most infected IPs don't even have detailed Whois records (e.g. it just shows the ISPs email address). Even the IPs that have detailed Whois records are sorely out of date: invalid email addresses, people who left the company years ago, companies that don't even exist anymore due to mergers, etc..

    I suspect that about 80% of whois records will show only an ISP email address..and unfortunately sending such notifications to ISP's abuse department is often a huge blackhole...at best the end-user will not even be notified for 4-6 WEEKS after the notice is sent...others (I suspect) completely ignore them due to lack of manpower to handle it (esp. during worm surges).

    Yesterday, I sent out 8,000 Slapper infection notices, I received about 10 thank-you emails back.

    So don't be fooled into thinking that just because F-secure sent out a bunch of emails that everyone is now aware of it.

    Here we are 12 months after Code Red/Nimda first came out...I've probably sent 2 Million alert emails and we STILL have 50,000 CR/Nimda infected hosts (and new ones coming online ever day).
     
    NetWatchman, Sep 25, 2002
    #12
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...