My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Linux.Worm.Slapper.A

MEDIUM
MEDIUM
65-70KB (C source)
(N/A)

Symptoms

- files "/tmp/.bugtraq" and "/tmp/.bugtraq.c" containing the worm's executable and source code;

- a process ".bugtraq" running (the executable worm);

- UDP port 2002 open.

- files "/tmp/.bugtraq" and "/tmp/.bugtraq.c" containing the worm\'s executable and source code;

- a process ".bugtraq" running (the executable worm);

- UDP port 2002 open.

Removal instructions:

1. Make sure that you have the latest updates using the bdc --update or the manual update for this product

2. Terminate the ".bugtraq" process using the killall -9 .bugtraq or by restarting the computer.

3. Use BitDefender for Linux with the following parameters in the command line:
bdc --all --delete --list /tmp

4. Updated the version of the Apache server to eliminate the vulnerability

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

Linux.Worm.Slapper.A is a Internet worm that exploits a vulnerability in the OpenSSL implementation of the Secure Sockets Layer protocol - sending a malformed client key in an SSL request may cause a buffer overrun and run code of the attacker\'s choice on the server; more detailed information regarding this vulnerability (discovered in July 2002) is available in the document http://www.openssl.org/news/secadv_20020730.txt. The worm targets several Linux distributions running the popular Apache web-server.



The worm scans for vulnerable computers in the network having IP's in the form a.b.c.d, where 'a' and 'b' are chosen randomly ('a' is limited to one of 162 possible values in the range 3 to 239) and 'c' and 'd' are iterated through all possible values. For every scanned IP, the worm tries to establish a HTTP connection in order to query the operating system and see whether a vulnerable version of the Apache server is running (Gentoo, Debian, Red-Hat, SuSE, Mandrake and Slackware operating systems, and several versions of Apache 1.3.xx are currently "supported" by the worm; a default configuration of Red-Hat Linux running Apache 1.3.23 is assumed if none of the hardcoded ones is detected).



The worm will attempt (a maximum of 20 times, with 0.1 seconds between retries) to connect to the possibly-vulnerable computer's default SSL port (443) and send it a malformed string that will cause a buffer overrun and will run the embedded x86 machine-code; this code sequence uses INT 80h system calls to access Linux kernel services and invoke the shell (with redirected output for "silent" execution) in order to perform the following actions:

- save an encrypted (uu-encoded) copy of the worm's C source-code in "/tmp/.uubugtraq";
- decrypt it to "/tmp/.bugtraq.c";
- compile the source to "/tmp/.bugtraq";
- run the generated executable with the sender machine's IP as a command-line argument.
(The sequence includes selected code for the determined Linux/Apache configuration.)


This mechanism of sending the source code (C program) and compiling it on the target machine ensures the worm's portability on many distributions of Linux.



Besides replicating to other computers in the network as described, the worm listens to UDP port 2002 for (encrypted) messages, providing the following functions:

- direct communication with another infected machine;
- relaying a data packet to another infected machine;
- broadcasting a data packet to all infected machines;
- running a command on the machine;
- initiate a distributed denial-of-service attack on a machine (using UDP / TCP / IPv6 TCP connections, or DNS requests for the domain name servers).


This backdoor-like behaviour compromises the local machine's and the network's security and functionality.