F-Secure plays key role in slapping down Slapper worm

Late on Friday, September 13, 2002

Slapper, the new network worm started to spread on Linux machines, using a flaw discovered in August 2002 in OpenSSL libraries.

Main features:

The worm typically affects Linux machines that are running Apache web server with SSL enabled. Apache installations cover more than 60% of public web sites in the internet. It could be estimated that less than 10% of those have enabled SSL services. SSL is most often used for online commerce, banking and privacy applications.

What sets Slapper apart from other worms is its peer-to-peer networking capability, which the worm author may utilize to take over any or all of the infected servers. This was apparently designed to launch distributed denial-of-service attacks with the worm, but it also results in a situation where anybody can take over an infected machine and do practically anything with it.

The Slapper is representative of the new breed of worms and viruses as it is as much an attack tool as it is a quickly spreading worm.

The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.

Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001.

Sunday, September 15, 2002

During the weekend following Friday the 13th, F-Secure engineers have reverse engineered the peer-to-peer protocol that the worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

F-Secure also started the Global Slapper Information Center, that provides regularly updated information on the spread of the virus and numbers of infected servers categorized by the top-level domain.

http://www.f-secure.com/slapper/

Situation on Sunday 15th of September 2002, at 17:00 GMT

By Sunday evening, the Slapper worm had been in circulation for less than 40 hours. In this time, the number of infected servers has grown from 0 to over 6000. For reference, Code Red - which is known as the worst web worm so far - managed to infect only a couple of hundred servers within similar time frame. Code Red went on to infect over 300,000 web servers during its beak in July 2001 and is still alive today. It is estimated that there are over 1,000,000 active OpenSSL installations in the public web. A very big part of those machines has not yet been patched to close this hole, and are thus prone for infection by the Slapper worm.
A snapshot of the data on Sunday September 15th 2002 at 17:00 GMT, showed us that the network had 5987 machines.

Monday, September 16, 2002 at 14:45 GMT

A new snapshot of the data on Monday September 16th 2002 at 14:45 GMT, showed us that the network had 11249 machines - the amount roughly doubled in a day.

A later snapshot on Monday around 16:00 GMT showed 13892 machines - however, this data is quickly becoming useless, as a very large number of these has already been cleaned.

F-Secure sent out a warning to the administrators of infected systems based on their IP addresses. A free version of F-Secure Anti-Virus for Linux was also offered to the administrators of infected systems. The license allows the product to be used in a limited fashion to remove the worm from the system.

F-Secure was also in contact with national authorities in order to alert the administrators of infected systems.

In the process of warning the administrators of the infected servers, F-Secure worked in concert with 14 national CERT organizations. This approach was highly appreciated by many companies with emails: "Thanks kindly for your warning; our customer tells us they have upgraded their server. Congratulations on a job well done.” Hugh Brown, Dowco Internet.


Printable versionBegin  |  Back