September 24, 2002, 5:42 PM — Two new variants of the Slapper worm that targets Apache Web servers running on Linux operating systems have appeared and are reported to be spreading. The worm initially surfaced two weeks ago.
The new variants, known as Slapper.B and Slapper.C, are modifications of the original Slapper worm, known as Slapper.A, and may prove more difficult to remove from infected systems.
The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. The handshake process is an initial exchange of messages between an SSL server and an SSL client in which each authenticates itself.
The worm uses the SSL vulnerability to transfer its malicious source code to a remote machine. It then compiles that code, producing a new executable, according to an advisory posted on Carnegie Mellon University Computer Emergency Response Team Coordination Center Web page.
Once infected by the Slapper worm, Web servers become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts using one of a number of UDP (User Datagram Protocol) ports.
The latest variants of the original Slapper.A worm use different UDP ports to communicate with other infected servers, and have different names from the original worm. While Slapper.A uses the name "bugtraq" and relies on UDP port 2002, Slapper.B is called "cinik" and uses port 1978 while Slapper.C is named "unlock" and uses port 4156, according to an advisory published by F-Secure.
System administrators and antivirus software can spot likely infections by searching their servers for directories and files using those names, and by looking for abnormally heavy traffic on the affected ports.
And, while such small modifications to the original worm are easy to compensate for, Slapper.B contains other modifications that make its removal from infected servers more difficult.
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
The variation in Slapper.B as well as another that enables the worm to restart itself may explain the variant's rapid spread in countries such as Australia, experts say. More than 120 businesses have been infected with the new worm variation in that country.