Slapper (Linux.Slapper.a) is a worm that attacks Linux servers running Apache with mod_ssl and uses a known vulnerability in the Secure Sockets Layer (SSL) handshake process.According to F-Secure, an antivirus-software company, the Apache service runs on more than 60 percent of the public Web sites, although only 10 percent of those have SSL enabled. Slapper is known to carry distributed-denial-of-service-attack (DDoS) and backdoor remote-access capabilities, allowing malicious users control of an infected system. Slapper only affects Linux installations running Red Hat, SuSE, Mandrake, Slackware, or Debian. It does not run on Windows or Mac. Compared with Code Red or Nimda, Slapper is currently rated as a low virus threat.
How it works
The Slapper worm first scans for potential systems to infect using an invalid HTTP GET request on port 80/tcp. When a system running Apache is located, Slapper attempts to send code to the SSL service on port 443/tcp. If successful, the newly infected machine compiles the code and begins scanning the Internet for another system to infect.
A newly infected system will also initiate an open channel on post 2002/udp, linking it to other infected systems, forming a DDoS network. Infected systems can then share updated code or information. A malicious user could use such a network to target a popular Web site. By commanding the network of infected systems to ping one targeted Web site repeatedly, a malicious user could deny legitimate users access to that site.
According to the security company, Internet Security Systems, the following Linux installations are vulnerable:
-
Debian Linux, Apache 1.3.26
Red Hat Linux, Apache 1.3.6
Red Hat Linux, Apache 1.3.9
Red Hat Linux, Apache 1.3.12
Red Hat Linux, Apache 1.3.19
Red Hat Linux, Apache 1.3.20
Red Hat Linux, Apache 1.3.23
SuSE Linux, Apache 1.3.12
SuSE Linux, Apache 1.3.17
SuSE Linux, Apache 1.3.19
SuSE Linux, Apache 1.3.20
SuSE Linux, Apache 1.3.23
Mandrake Linux, Apache 1.3.14
Mandrake Linux, Apache 1.3.19
Mandrake Linux, Apache 1.3.20
Mandrake Linux, Apache 1.3.23
Slackware Linux, Apache 1.3.26
Gentoo Linux (Apache version undetermined)
Infected Linux systems will have the following files:
-
/temp/.bugtraq.c
/temp/.bugtraq
Prevention
CERT recommends that all systems running OpenSSL review CA-2002-23 and VU#102795 for detailed vendor recommendations regarding patches. The vulnerability exploited by the Apache/mod_ssl worm has been fixed as of OpenSSL version 0.9.6e. Currently, the latest version of OpenSSL is 0.9.6g.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, Kaspersky, McAfee, Sophos, and Symantec.
Does your company have Secure Sockets Layer enabled on its Apache Web Servers? TalkBack below or e-mail us with your thoughts.
