What Is Slapper?

This is a re-post (or posting to my blog) of an article I had written for Linux Security in September of 2002. The original article is available here.

The question of the week: What is Slapper? Let me begin by telling you I am not only describing the Slapper worm, but I am also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap worm. In effect, this is just 4 different names for the same nasty worm.
On the always lucky day of Friday the 13th (of September) the first
reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow vulnerability reported at the end of July. The next day, CERT issued an advisory CA-2002-27, the Apache/mod_ssl Worm.

A quote directly from the CERT issued advisory prior to the release of the worm:

Compromise by the Apache/mod_ssl worm indicates that a
remote attacker can execute arbitrary code as the apache user on the
victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.

By Sunday September 15th, F-Secure Corporation reported
13,000 infected servers out of “over 1,000,000 active OpenSSL
installations in the public web.” Businesswire gave a more in-depth
view into just how F-Secure got their numbers:

During the weekend following Friday the 13th, F-Secure
engineers have reverse engineered the peer-to-peer protocol that the
worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack
network, posing as an infected web server. Through this fake server,
the exact number of infected machines and their network names can be

Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available
for over a month from the OpenSSL project, Caldera, Conectiva, Debian,
EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and
Yellow Dog.

SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format). F-Secure is maintaining a “Virus Description” of this worm with lots of interesting information.

The Linux.Slapper.Worm spreads in similar fashion to last year’s
Nimda and Code Red worms, by scanning for, and then infecting,
vulnerable systems. Because this worm establishes peer-to-peer links
among infected servers, experts fear it could create a powerful
platform to launch denial-of-service attacks against virtually any
target on the Internet.

Some of the more noteworthy (interesting) things thats the
Slapper Worm does are similar to the Apache Scalper worm. A major
difference is that Slapper creates a hierarchical network structure.
The Security Focus Analysis states:

The Modap Worm, like Scalper, implements many
innovative structures, including a hierarchical network structure in
which it keeps track of the systems it has infected, the system that
infected it, as well as a list of other infected systems and how many
hops away they are. All of the internal communication between hosts
infected with Modap is accomplished through an implementation of a
stateful protocol transmitted over UDP.

Once the worm has infected a system and created the necessary file
(below), it executes itself with at one command line parameter. If it
is not executed with at least one command line parameter, then it
displays an error message and does not run. Now that the worm is
running, the first thing it attempts to do is bind to UDP port 2002.
The bot (worm) then sends out a packet to register itself on the
network [of other worms]. Now that the worm is bound to a port, it
enters a daemon mode and forks and installs signal handlers for SIGCHLD
and SIGHUP which point to an empty function. The worm now enters a
while loop where it just scans and propagates.

The way the worm propagates is it begins by scanning for hosts
that are listening on port 80. Once a system is found, it send the
following string:

GET / HTTP/1.1\r\n\r\n

Since a “400 Bad Request” reply is generated, the worm now has
information about the server to look at. It parses the information
given with the response and determines weather or not it has just
contacted an apache server. The worm checks the response string to see
if the version of apache as well as the operating system are
vulnerable. If the operating system or the apache version don’t match
anything the worm has, then it uses the default attack.

F-Secure has charts which illustrate how many hosts are/were
infected at a given time. Although the count was nearing 20,000 hosts
as of 17 September, the number has been drastically reduced between
patching and emails to system administrators. The number is supposedly
down to below 1,000 at the time of this article writing.

One of the main characteristics associated with Slapper is the
file names that it creates. It creates 3 files within the /tmp

/tmp/.bugtraq This is the copy of the worm that is running on the infected system.
/tmp/.bugtraq.c This is the source code to the worm that is running on the infected system.
/tmp/.uubugtraq This is the uuencoded copy of the worm that is running on the
infected system. This file is also used by the worm to propagate itself
to other systems.

Media References include:

RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has observed behavior different from what that tool expects.

If you have yet to apply a patch, I would strongly urge you to
do so now. If reading this article has not convinced you, then go apply
the patch to spite me. If you are unsure of where to obtain a patch for
your version of linux, Linux Security Advisories has a list of all the advisories by vendor.

Much of the information stated in this document is available via the sources and references listed throughout this document.