[Techtalk] "Slapper" worm targeting Linux/Apache servers

Mandi mandi at linuxchick.org
Fri Sep 20 11:35:34 EST 2002


Just as an update, in case you haven't seen it..

F-secure's page on slapper:
http://www.f-secure.com/slapper/

Essentially, slapper infected fewer than 14,000 hosts.
Which is to say, slapper successfully infected, in a week, 1% of the
successful infection of the NIMDA virus this time last year (1.3 million
hosts in 4 days).

As you can see at the link above, only a handful of machines exist on the
slapper p2p network now, a week later.

slapper gained media attention from msnbc for obvious reasons (notice the
"ms" in "msnbc"....  ;) ) but is interesting from a security standpoint
because of the p2p network it attempts to join.

irc-based worms are nothing new in the windows world; there are a number
of trojans and worms that run on win32 platforms and join rogue irc
networks.  These get used to DDOS attacks.

slapper sets up a connection to a p2p network, and F-secure was able to
get a machine onto that network and watch for other hosts.  they were then
able to notify administrators of the other hosts that appeared on the
network.

with such a specific attack, focused on a fractional number of all hosts
on the internet, slapper could probably be classified as a proof of
concept in the deployment of rogue p2p networks.  which isn't to say that
it's not serious if your server is infected; however, cleansing a machine
of slapper is nothing like the re-install required to clean a machine of
an infection by T0rn or another destructive rootkit.  however, since the
idea has been planted, it has the potential of resurfacing as something
much more dangerous.

If i write a worm that has a rogue irc client in it, i have to have an irc
server running somewhere that my infected hosts can gather at.  that irc
server is then a target for security investigators.  now, if i'm putting
together a p2p network, i can find two infectable hosts.  I crack them,
set them up to p2p to each other, give them the infection instructions,
with the specific clause that when they spread the worm, those hosts they
infect should report back to them, and not me.  part of the infection code
is negotiation of peers and hubs.  for something like slapper, which is
compiled on every host it infects, changing the ip address of the parent
host is trivial.

so then i, as the creator of this infection, bow out of the action.  i
wipe the logs on the initial hosts, and i'm out.  i could put my own
infected host on the network, to keep tabs on my minions and send them
instructions when i'm ready, but i look like just another peer, not the
commander in chief.  it's the "no central server" defense that the p2p
networks were using when the riaa and mpaa took them to court.

cool, huh?  now, what would have happened if i put that behind nimda?  1.3
million p2p hosts.  hmm...

--mandi








More information about the Techtalk mailing list