Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
WiFi Finder
Locate wireless services by a specific address, city, state, country, airport, or zip code.
Slapper Worm Variants Spread
Network-building worms work the same as original, but can be stopped when discovered.
Paul Roberts, IDG News Service
Two new variants of the Slapper worm that targets Apache Web servers running on Linux operating systems have appeared and are reported to be spreading.
The worm initially surfaced two weeks ago. The new variants, known as Slapper.B and Slapper.C, are modifications of the original Slapper worm, known as Slapper.A, and may prove more difficult to remove from infected systems.
The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process, has infected thousands of Web servers worldwide, according to F-Secure, a computer and network security company. The handshake process is an initial exchange of messages between an SSL server and an SSL client in which each authenticates itself.
The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. It then compiles that code, producing a new executable, according to an advisory posted on Carnegie Mellon University's Computer Emergency Response Team Coordination Center Web page.
Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts using one of a number of UDP ports.
Variants Deviate
The latest variants of the original Slapper.A worm use different UDP ports to communicate with other infected servers, and have different names from the original worm. While Slapper.A uses the name "bugtraq" and relies on UDP port 2002, Slapper.B is called "cinik" and uses port 1978, and Slapper.C is named "unlock" and uses port 4156, according to an advisory published by F-Secure.
System administrators and antivirus software can spot likely infections by searching their servers for directories and files using those names, and by looking for abnormally heavy traffic on the affected ports.
And while such small modifications to the original worm are easy to compensate for, Slapper.B contains other modifications that make its removal from infected servers more difficult.
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
The variation in Slapper.B as well as another that enables the worm to restart itself may explain the variant's rapid spread in countries such as Australia, experts say. More than 120 businesses have been infected with the new worm variation in that country.
Same Cure
Still, none of the variants that have appeared so far have altered the worm's basic strategy for infecting machines: exploitation of the buffer overflow in vulnerable versions of OpenSSL. That fact, coupled with the continued spread of the worm, has some security experts scratching their heads.
"When I first heard about the spread of [Slapper.B], I thought maybe that there was another vulnerability in SSL that was being exploited--maybe another buffer overrun--or that someone had altered the code that is used by the worm to locate new hosts," said Mikko Hypponen of F-Secure.
"But when I looked at Slapper.B and saw that none of that code had been changed, that it was just a different port number and new file names, I couldn't believe that this worm was still spreading."
Geoff Shively, chief hacking officer at security company Pivx Solutions, wonders if the increased attention to new worms and their variants isn't overloading overtaxed system administrators.
"There's getting to be an information overload within the security community," Shively said.
"Companies are putting pressure on system administrators to patch issues and manage the entire system from printers all the way up to servers and it isn't fair. These companies need people whose job it is just to do patches--security administrators in addition to system administrators."
Perfect Print Solutions
Top Selling Laptops
- Great year-end deals for small business!
-
Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors and save up to 200!
-
HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!
- *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
People who read this also read:
Best Prices on Antivirus Software
Norton Antivirus 2010 (Full Product, 1 User)Price: $17.90
Anti-virus 2010 (OEM Product, 1 User)Price: $21.60
AntiVirus Plus 2010 - 3 Users (Full Product)Price: $11.95
AntiVirus 2010 (Full Product)Price: $24.95
Norton AntiVirus 2009 (Full Product)Price: $16.89
Anti-Virus 2009 (Full Product)Price: $15.04
- 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
- A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.
