Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » Linux/Slapper.A


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Denial of service attack
Detection files published
Description created 17 Sep 2002 02:35:00
Description updated 26 Nov 2002 04:23:00
Malware type WORM
Spreading mechanism OTHER
Summary None



The worm connects to port 80 on Linux machines and tries to establish whether it is running a vulnerable Linux/Apache web server implementation. It looks for:

Debian, Apache 1.3.26,
Red-Hat, Apache 1.3.6,
Red-Hat, Apache 1.3.9,
Red-Hat, Apache 1.3.12,
Red-Hat, Apache 1.3.19,
Red-Hat, Apache 1.3.20,
Red-Hat, Apache 1.3.22,
Red-Hat, Apache 1.3.23,
Red-Hat, Apache 1.3.26,
SuSE, Apache 1.3.12,
SuSE, Apache 1.3.17,
SuSE, Apache 1.3.19,
SuSE, Apache 1.3.20,
SuSE, Apache 1.3.23,
Mandrake, Apache 1.3.14,
Mandrake, Apache 1.3.19,
Mandrake, Apache 1.3.20,
Mandrake, Apache 1.3.23,
Slackware, Apache 1.3.26

If the remote machine is running one of the above distributions, the worm will connect to port 443 (HTTPS) and perform a "buffer overflow" on the SSL service running on the server.

A buffer overflow is a way of deliberately overloading the recipient software with data too big for it to handle. This causes faulty recipient software to get "confused" and can cause crashes. In some cases the control can be passed to the data used in the attack, thus giving the attacker access to the remote machine. This is what happens in this case.

The attack gives shell access to the worm, and it then sends over its own source code in uuencoded form, decodes it on the remote machine, and recompiles it with the GCC compiler present on most Linux machines. The source code is called .bugtraq.c, and the resulting executable file is called .bugtraq. This is executed, and the remote machine is now infected.

Payload Details

The worm incorporates backdoor functionality, and infected systems also connect to each other via UDP on port 2002. This enables an attacker to connect to the infected network and get it to start a Distributed Denial-Of-Service (DDOS) attack on any given machine.
The attacks can take several forms - UDP floods, TCP floods, IP6 TCP floods, or DNS floods.




NVC for Linux will detect and remove the worm file. However, it will not remove any copy of the worm already running; to do this users should locate and kill any process called .bugtraq. Patches for the exploitable SSL implementations are available from OpenSSL.

Last Updated: 12 Nov 2015 11:06:11