"Slapper" OpenSSL/Apache Worm"
September 27, 2002
The National Infrastructure Protection Center (NIPC) has been coordinating
with the anti-virus and security community on the life cycle of "Slapper," the
OpenSSL/Apache worm and all its variants. Currently, infection rates for the
four variants have dropped off and will very likely be minimal until the next
variant is released into the wild. However, the NIPC is still concerned about
the thousands of systems that have already been compromised by the worm. During
the infection process, the attacking host instructs the newly-infected victim
system to initiate UDP traffic on ports 2002, 1978, and 4156. Once these communication
channels have been established, the infected system has the potential to join
other infected systems in a large scale, distributed denial-of-service (DDoS)
attack. As of September 25th, the number of currently infected hosts is estimated
to be between 25 and 30 thousand systems. The NIPC strongly urges system administrators,
as well as home users of OpenSSL up to and including versions 0.9.6d or 0.9.7beta1,
to consider immediately upgrading to the latest version of OpenSSL version
For users that are trying to determine if their system is infected with the
worm, the NIPC is currently modifying its "Find DDoS Tool" to include
Slapper. Once modified, this tool will be able to detect the presence of Slapper
and all its variants. You can download this tool by clicking onto these links:
Additionally, there is another tool available on the Internet designed to
help detect the presence of the worm and remove it from an infected host. The
following security company has posted a downloadable tool:
Internet Security Systems
ISS Download Center: http://www.iss.net/support/product_utilities/
Detecting the presence and activity of Slapper on your system:
Collaborative community analysis has indicated that the worm's source code
is placed in a file named /tmp/.bugtraq.c on infected systems. After the executable
binary is compiled the file is stored at /tmp/.bugtraq; therefore, presence
of any of either of these files on Linux systems running Apache with OpenSSL
is indicative of compromise.
Infected systems are readily identifiable on a network by the following traffic
Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
DDoS -- Transmitting or receiving datagrams with both source and destination
ports 1978/udp, 2002/udp, or 4156/udp. This traffic is used as a communications
channel between infected systems to coordinate attacks on other sites.
Backdoor ("B" variant only) -- Listening on 1052/tcp.
Additionally, infected hosts that are actively participating in DDoS attacks
against other systems may generate unusually high volumes of attack traffic
using various protocols (e.g., TCP, UDP, ICMP)
Mod_ssl is the Apache web server interface to OpenSSL, an open source implementation
of the secure sockets layer and transport layer security protocols. The Slapper
worm exploits a buffer overflow in the SSLv2 handshake process using a malformed
client master key. The worm actively scans for Apache installations over port
80, attempting to determine the identity of the Linux distribution installed
from the response-header field.
The worm does not attempt to compromise any servers that do not identify themselves
as Apache in the server header response. If successful, a copy of the malicious
source code is then placed on the victim server where the attacking system
tries to compile and run the code.
The Slapper worm creates a peer-to-peer network of compromised servers and
communicates between worm processes on UDP port 2002. It accepts requests for
remote command execution and has DDoS capabilities including TCP and TCP/IPv6,
UDP, and DNS flooding. More information on the Slapper worm and all its variants
can be found at the URLs listed in the Recommendations section of this assessment.
OpenSSL versions up to and including versions 0.9.6d and 0.9.7 beta1
Current versions of the Slapper worm only target the following Linux distributions.
The worm may trigger unpredictable results on additional UNIX platforms. Other
UNIX platforms, as well as Apache with OpenSSL for Windows may also be vulnerable
to the OpenSSL vulnerability.
* Debian Linux, Apache 1.3.26
* RedHat Linux, Apache 1.3.6
* RedHat Linux, Apache 1.3.9
* RedHat Linux, Apache 1.3.12
* RedHat Linux, Apache 1.3.19
* RedHat Linux, Apache 1.3.20
* RedHat Linux, Apache 1.3.23
* SuSE Linux, Apache 1.3.12
* SuSE Linux, Apache 1.3.17
* SuSE Linux, Apache 1.3.19
* SuSE Linux, Apache 1.3.20
* SuSE Linux, Apache 1.3.23
* Mandrake Linux, Apache 1.3.14
* Mandrake Linux, Apache 1.3.19
* Mandrake Linux, Apache 1.3.20
* Mandrake Linux, Apache 1.3.23
* Slackware Linux, Apache 1.3.26
* Gentoo Linux (Apache version undetermined)
Any user operating OpenSSL up to and including versions 0.9d or 0.9.7beta
1 are encouraged to consider immediately upgrading to OpenSSL version 0.9.6g.
Users should consider one or more of the following temporary workaround solutions
to block and/or disable the propagation of the worm:
Internet Security Systems http://www.iss.net/security_center/static/10098.php
McAfee- Network Associates http://vil.nai.com/vil/content/v_99693.htm
Recipients of this assessment are encouraged to report computer intrusions
or denial of service attacks to their local FBI office http://www.fbi.gov/contact/fo/fo.htm)
or the NIPC, and to the other
appropriate authorities. Incidents may be reported online at
NIPC Watch and Warning Unit
can be reached at 888-585-9078 or firstname.lastname@example.org.