IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ASSESSMENT 02-003

"Slapper" OpenSSL/Apache Worm"
September 27, 2002

The National Infrastructure Protection Center (NIPC) has been coordinating with the anti-virus and security community on the life cycle of "Slapper," the OpenSSL/Apache worm and all its variants. Currently, infection rates for the four variants have dropped off and will very likely be minimal until the next variant is released into the wild. However, the NIPC is still concerned about the thousands of systems that have already been compromised by the worm. During the infection process, the attacking host instructs the newly-infected victim system to initiate UDP traffic on ports 2002, 1978, and 4156. Once these communication channels have been established, the infected system has the potential to join other infected systems in a large scale, distributed denial-of-service (DDoS) attack. As of September 25th, the number of currently infected hosts is estimated to be between 25 and 30 thousand systems. The NIPC strongly urges system administrators, as well as home users of OpenSSL up to and including versions 0.9.6d or 0.9.7beta1, to consider immediately upgrading to the latest version of OpenSSL version 0.9.6g.

For users that are trying to determine if their system is infected with the worm, the NIPC is currently modifying its "Find DDoS Tool" to include Slapper. Once modified, this tool will be able to detect the presence of Slapper and all its variants. You can download this tool by clicking onto these links: find_ddos_v43_intel.tar.z; find_ddos_v43_linux.tar.z, and find_ddos_v43_sparc.tar.z.

Additionally, there is another tool available on the Internet designed to help detect the presence of the worm and remove it from an infected host. The following security company has posted a downloadable tool:

Internet Security Systems
ISS Download Center: http://www.iss.net/support/product_utilities/

Detecting the presence and activity of Slapper on your system:

Collaborative community analysis has indicated that the worm's source code is placed in a file named /tmp/.bugtraq.c on infected systems. After the executable binary is compiled the file is stored at /tmp/.bugtraq; therefore, presence of any of either of these files on Linux systems running Apache with OpenSSL is indicative of compromise.

Infected systems are readily identifiable on a network by the following traffic characteristics:

Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
DDoS -- Transmitting or receiving datagrams with both source and destination ports 1978/udp, 2002/udp, or 4156/udp. This traffic is used as a communications channel between infected systems to coordinate attacks on other sites.
Backdoor ("B" variant only) -- Listening on 1052/tcp.
Additionally, infected hosts that are actively participating in DDoS attacks against other systems may generate unusually high volumes of attack traffic using various protocols (e.g., TCP, UDP, ICMP)

Background:

Mod_ssl is the Apache web server interface to OpenSSL, an open source implementation of the secure sockets layer and transport layer security protocols. The Slapper worm exploits a buffer overflow in the SSLv2 handshake process using a malformed client master key. The worm actively scans for Apache installations over port 80, attempting to determine the identity of the Linux distribution installed from the response-header field.
The worm does not attempt to compromise any servers that do not identify themselves as Apache in the server header response. If successful, a copy of the malicious source code is then placed on the victim server where the attacking system tries to compile and run the code.

The Slapper worm creates a peer-to-peer network of compromised servers and communicates between worm processes on UDP port 2002. It accepts requests for remote command execution and has DDoS capabilities including TCP and TCP/IPv6, UDP, and DNS flooding. More information on the Slapper worm and all its variants can be found at the URLs listed in the Recommendations section of this assessment.

Affected Versions:

OpenSSL versions up to and including versions 0.9.6d and 0.9.7 beta1

Current versions of the Slapper worm only target the following Linux distributions. The worm may trigger unpredictable results on additional UNIX platforms. Other UNIX platforms, as well as Apache with OpenSSL for Windows may also be vulnerable to the OpenSSL vulnerability.

* Debian Linux, Apache 1.3.26
* RedHat Linux, Apache 1.3.6
* RedHat Linux, Apache 1.3.9
* RedHat Linux, Apache 1.3.12
* RedHat Linux, Apache 1.3.19
* RedHat Linux, Apache 1.3.20
* RedHat Linux, Apache 1.3.23
* SuSE Linux, Apache 1.3.12
* SuSE Linux, Apache 1.3.17
* SuSE Linux, Apache 1.3.19
* SuSE Linux, Apache 1.3.20
* SuSE Linux, Apache 1.3.23
* Mandrake Linux, Apache 1.3.14
* Mandrake Linux, Apache 1.3.19
* Mandrake Linux, Apache 1.3.20
* Mandrake Linux, Apache 1.3.23
* Slackware Linux, Apache 1.3.26
* Gentoo Linux (Apache version undetermined)

Recommendations:

Any user operating OpenSSL up to and including versions 0.9d or 0.9.7beta 1 are encouraged to consider immediately upgrading to OpenSSL version 0.9.6g. Users should consider one or more of the following temporary workaround solutions to block and/or disable the propagation of the worm:

CERT/CC http://www.cert.org/advisories/CA-2002-27.html

Internet Security Systems http://www.iss.net/security_center/static/10098.php

McAfee- Network Associates http://vil.nai.com/vil/content/v_99693.htm

RedHat http://www.redhat.com/support/alerts/linux_slapper_worm.html

Symatec http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html


Recipients of this assessment are encouraged to report computer intrusions or denial of service attacks to their local FBI office http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to the other
appropriate authorities. Incidents may be reported online at
http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit
can be reached at 888-585-9078 or nipc.watch@fbi.gov.