Slapper worm variants torment system administrators

Two variants of the Slapper worm - which targets Apache Web servers running on Linux operating systems - are reported to be...

Two variants of the Slapper worm - which targets Apache Web servers running on Linux operating systems - are reported to be spreading. The worm initially surfaced two weeks ago and has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure, a computer and network security company.

The variants, known as Slapper.B and Slapper.C, are modifications of the original Slapper worm, known as Slapper.A, and may prove more difficult to remove from infected systems.

The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process - an initial exchange of messages between an SSL server and an SSL client in which each authenticates itself.

The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. It then compiles that code, producing a new executable.

Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and co-ordinate with infected hosts using one of a number of UDP (User Datagram Protocol) ports.

The latest variants use different UDP ports to communicate with other infected servers, and have different names from the original worm. While Slapper.A uses the name "bugtraq" and relies on UDP port 2002, Slapper.B is called "cinik" and uses port 1978 while Slapper.C is named "unlock" and uses port 4156, according to F-Secure.

System administrators and antivirus software can spot likely infections by searching their servers for directories and files using those names, and by looking for abnormally heavy traffic on the affected ports.

However, while such small modifications to the original worm are easy to compensate for, Slapper.B contains other modifications that make its removal from infected servers more difficult.

F-Secure researchers said Slapper.B is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the domain.

Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.

The variation in Slapper.B, as well as another that enables the worm to restart itself, may explain the variant's rapid spread. In Australia, more than 120 businesses have been infected with the new worm variation.

Yet none of the variants have altered the worm's basic strategy for infecting machines - the exploitation of the buffer overflow in vulnerable versions of OpenSSL. That fact, coupled with the continued spread of the worm, has some security experts scratching their heads.

"When I first heard about the spread [Slapper.B], I thought maybe that there was another vulnerability in SSL that was being exploited - maybe another buffer overrun - or that someone had altered the code that is used by the worm to locate new hosts," said Mikko Hypponen of F-Secure.

"But when I looked at Slapper.B and saw that none of that code had been changed, that it was just a different port number and new file names, I couldn't believe that this worm was still spreading."

Geoff Shively, chief hacking officer at security company Pivx Solutions, wondered if the increased attention to new worms and their variants is overloading overtaxed system administrators.

"Companies are putting pressure on system administrators to patch issues and manage the entire system from printers all the way up to servers, and it isn't fair. These companies need people whose job it is just to do patches - security administrators in addition to system administrators."

Read more on Hackers and cybercrime prevention