Reverse Engineered Slapper Worm

F-Secure reverse engineered worms network protocol — real-time information on number and location of infected computers

The Linux.Slapper worm was first seen on Friday the 13th. Since then it has infected thousands of web servers around the world and continues to spread. What sets it apart from other worms is its peer-to-peer networking capability, which the worm author may utilize to take over any or all of the infected servers. This was apparently designed to launch distributed denial-of-service attacks with the worm, but it also results in a situation where anybody can take over an infected machine and do practically anything with it.

The Slapper is representative of the new breed of worms and viruses as it is as much an attack tool as it is a quickly spreading worm.

During the weekend following Friday the 13th, F-Secure engineers have reverse engineered the peer-to-peer protocol that the worm uses. F-Secure has now infiltrated the Slapper peer-to-peer attack network, posing as an infected web server. Through this fake server, the exact number of infected machines and their network names can be identified.

F-Secure’s Global Slapper Information Center provides regularly updated information on the spread of the virus and numbers of infected servers categorized by the top-level domain. F-Secure is also sending a warning to the administrators of infected systems based on their IP addresses. A free version of F-Secure Anti-Virus for Linux will also be made available to the administrators of infected systems. The license allows the product to be used in a limited fashion to remove the worm from the system.

F-Secure is also contacting the national authorities in order to alert the administrators of infected systems. It is imperative that the servers are cleaned and patched to prevent future infections as soon as possible – both to stop the spreading of the worm and to prevent unauthorised access to the infected servers.

Global Slapper Information Center can be found from: http://www.f-secure.com/slapper/

Situation on Sunday 15th of September 2002, at 17:00 GMT

By Sunday evening, the Linux.Slapper worm had been in circulation for less than 40 hours. In this time, the number of infected servers has grown from 0 to over 6000. For reference, Code Red – which is known as the worst web worm so far – managed to infect only a couple of hundred servers within similar time frame. Code Red went on to infect over 300,000 web servers during its beak in July 2001 and is still alive today. It is estimated that there are over 1,000,000 active OpenSSL installations in the public web. A very big part of those machines has not yet been patched to close this hole, and are thus prone for infection by the Slapper worm.

The worm infects unprotected Linux machines that are running Apache web server with OpenSSL enabled. Uniquely, the worm spreads in C source code format, recompiling itself on every infected machine.

Detailed technical description of the worm as well as a screenshot are available in the Global Slapper Information Center in http://www.f-secure.com/slapper/