The following has been derived from information provided by F-Secure, Kaspersky Labs, Sophos, and Symantec.

Virus Characteristics

Linux.Slapper.Worm uses an OpenSSL buffer overflow exploit to run a shell on a remote system. The worm targets vulnerable installations of the Apache Web server on Linux operating systems which includes versions of SuSe, Mandrake, RedHat, Slackware and Debian. The worm also contains code for a Distributed Denial of Service attack.

The worm attempts to connect on Port 80 and it sends an invalid GET request to the server to identify the Apache system. Once the worm finds an Apache system it will try to connect on port 443 to send the exploit code to the listening SSL service on the remote system.

The worm uses a Linux shell code exploit which will run only on Intel systems. This code requires the presence of the shell command /bin/sh in order to execute properly. The worm encodes its own source code named ".bugtraq.c" (thus only a "ls -a" command will show the file) with UU encoding, sends it over to the remote system and decodes the file. After this it compiles the file using gcc and runs the binary which will be called ".bugtraq". These file are placed in the /tmp directory. A daemon process called .bugtraq will be visible on infected computers.

The worm binary is executed with an IP address as a parameter. This IP address is the address of the attacker machine and is used to create a network of worm infected systems for denial of service attack purposes. Each compromised system listens on UDP port 2002 to receive further instructions. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as: executing arbitrary commands; creating TCP floods; creating DNS floods and searching for email addresses on disk.

The worm uses the following set of /8 IP addresses to attack new machines by randomly scanning for Apache systems:

3, 4, 6, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26, 28, 29, 30, 32, 33, 34, 35, 38, 40, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 80, 81, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239

The flaw in OpenSSL which allows this worm to spread was announced and fixed in an OpenSSL Security Advisory of 30 July 2002.

At this time over 3500 computers are thought to be infected. The worm was found in Eastern Europe late on Friday 13th, September 2002, and is now reported to be active around the world.


Payload

Increased internet bandwidth usage.
Infected machine is compromised: machine may be employed in denial of service attacks or fall victim to attack itself.


Preventative Measures

Remove or limit access to the gcc compiler on production web servers.

Patch the OpenSSL vulnerability. For patch information for vulnerable products, please see http://online.securityfocus.com/bid/5363/solution.


Manual Removal

The worm is visible in the infected system as a process ".bugtraq". An infected system can be disinfected by terminating the worm's process, and by removing the files created into temporary directory:

/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq

The Apache web server must be shut down as well and the OpenSSL libary must be upgraded to a fixed version (0.9.6e or above) in order to avoid reinfection.


Fixes Available

Network Associates: No information at time of alert

Symantec:
Virus Definitions (Intelligent Updater): September 16, 2002
Virus Definitions (LiveUpdate): September 18, 2002

Trend: No information at time of alert