Slapper Worm Variants Spread

Two new variants of the Slapper worm that targets Apache Web servers running on Linux operating systems have appeared and are reported to be spreading.

The worm initially surfaced two weeks ago. The new variants, known as Slapper.B and Slapper.C, are modifications of the original Slapper worm, known as Slapper.A, and may prove more difficult to remove from infected systems.

The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process, has infected thousands of Web servers worldwide, according to F-Secure, a computer and network security company. The handshake process is an initial exchange of messages between an SSL server and an SSL client in which each authenticates itself.

The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. It then compiles that code, producing a new executable, according to an advisory posted on Carnegie Mellon University's Computer Emergency Response Team Coordination Center Web page.

Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts using one of a number of UDP ports.

Variants Deviate

The latest variants of the original Slapper.A worm use different UDP ports to communicate with other infected servers, and have different names from the original worm. While Slapper.A uses the name "bugtraq" and relies on UDP port 2002, Slapper.B is called "cinik" and uses port 1978, and Slapper.C is named "unlock" and uses port 4156, according to an advisory published by F-Secure.

System administrators and antivirus software can spot likely infections by searching their servers for directories and files using those names, and by looking for abnormally heavy traffic on the affected ports.

And while such small modifications to the original worm are easy to compensate for, Slapper.B contains other modifications that make its removal from infected servers more difficult.

According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.

Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.

The variation in Slapper.B as well as another that enables the worm to restart itself may explain the variant's rapid spread in countries such as Australia, experts say. More than 120 businesses have been infected with the new worm variation in that country.

Same Cure

Still, none of the variants that have appeared so far have altered the worm's basic strategy for infecting machines: exploitation of the buffer overflow in vulnerable versions of OpenSSL. That fact, coupled with the continued spread of the worm, has some security experts scratching their heads.

"When I first heard about the spread of [Slapper.B], I thought maybe that there was another vulnerability in SSL that was being exploited--maybe another buffer overrun--or that someone had altered the code that is used by the worm to locate new hosts," said Mikko Hypponen of F-Secure.

"But when I looked at Slapper.B and saw that none of that code had been changed, that it was just a different port number and new file names, I couldn't believe that this worm was still spreading."

Geoff Shively, chief hacking officer at security company Pivx Solutions, wonders if the increased attention to new worms and their variants isn't overloading overtaxed system administrators.

"There's getting to be an information overload within the security community," Shively said.

"Companies are putting pressure on system administrators to patch issues and manage the entire system from printers all the way up to servers and it isn't fair. These companies need people whose job it is just to do patches--security administrators in addition to system administrators."