Threat Description



Category: Malware
Type: Worm
Platform: Linux
Aliases: Linux.Devnull, Devnull, Kaiten


This worm is related to Slapper. For more information on Slapper, see

This worm was found on Monday the 30th of September 2002. It is known as Linux.Devnull. Some security vendors are calling it Linux.Slapper.D, although the only thing it has common with Slapper is that it uses the same vulnerability.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

This worm, once the host has been compromised, downloads and executes a shell script from a web server. This script downloads an gzipped executable file from the same address, it then decompresses and runs the file.

This downloaded file appears to be an IRC client, it connects to different channels and waits for commands to process on the infected host.

Above: a screenshot of the IRC channel used by the worm for remote control of infected machines. The channel had hundreds of bots, each representing one infected machine.

After this, the script downloads another compressed file which contains an executable and a C source code file. It tries to compile the source and runs the executable. The executable will scan for vulnerable hosts and it will use the compiled program to exploit the the known OpenSSL vunerability.

We are currently trying to remove these files from the web server - once this is done, the worm shouldn't be able to spread further. The files seem to be available on a server of a Japanese University.

If a vulnerable host is found it will send the script file and execute it remotely. Then the decribed process starts in the new infected host.

This worm doesn't create a P2P network as Slapper did.

Technical Details:Ero Carrera, F-Secure, September 30th, 2002


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More