Security experts warn that it is the ability of Slapper to create its own network that makes this worm different from last year's Code Red worm. Russ Cooper, a security expert at TruSecure and editor of the NTBugTraq security bulletin Web site, described Slapper as a new threat.
"Code Red made no attempt to coordinate hosts. All the infected hosts had similar instructions to initiate a denial of service attack against a particular Internet address - but it wasn't a coordinated attack." This is where Slapper differs. The Slapper worm has been designed in a way that allows it to communicate with other infected machines Cooper said. Such machines can receive notifications from other hosts by sending and receiving data but as far as Cooper was aware, "there is not code to send instructions".
Cooper cautions that future variants of the worm might include the ability to send and receive instructions, making sophisticated attacks possible. "One thing the attacker may have planned was to get this little worm in first, find out what hosts [it infects], then send out a variant that lets him then send out instructions."
Such variants could appear very soon as the source code for Slapper is its means of infection by distributing source code. This could allow any programmer to tweak its functionality. "One of the things that worries us is that, because this worm is delivered as source code, and because that source code is well documented, anybody getting hold of the source can quickly learn how to exploit the virus itself," said Tony Magallanez, a systems engineer at F-Secure.
As an example Magallanez said that given Slapper uses network port 2002, "anybody who knows the identity of [an infected] host can connect to that port and deposit whatever files they want - perhaps a program that will launch a timed attack".
Magallanez notes, since Slapper targets Web servers that are designed for high volume traffic, any attack would leverage the ability of those servers in attacking its victim.
The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process, is already believed to have infected over 13,000 Apache Web servers, according to F-Secure. The worm infects host machines by using the SSL vulnerability to transfer its malicious source code to a remote machine. It then compiles that code, producing a new executable program.
Once infected by the Slapper worm, Web servers effectively become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts over the 2002/UDP (User Datagram Protocol) port.
Even without launching an attack, the "chatter" between Slapper network hosts is already having a serious impact on corporate networks infected with the worm.
"There is very strong evidence that the chatter between compromised machines has already caused pain to several organisations independent of a DDOS attack," said Marty Lindner, team leader for incident handling at CERT, who attributes the slowdowns to poor design in the worm, rather than a purposeful attack.
This was first published in September 2002