From: Unix&NT-Mäklarna (unixnt@dck.se)
Date: Fri 27 Sep 2002 - 10:43:07 EEST
lin09/020927
phptr@yahoogroups.com
linux@linux.org.tr
27 Eyl=FCl 2002, G=F6teborg/Sweden
VARIANT: Slapper.C
ALIAS: httpd, unlock
VARIANT: Slapper.B
ALIAS: Cinik
Radar Alert LEVEL 1
NAME: Slapper
ALIAS: Linux.Slapper-A, Linux.Slapper-Worm, Apache/mod_ssl Worm,=20
Slapper.source
This is slightly modified variant of Slapper.A. It uses port 1978 instead
of port 2002 and the filename of the worm has been changed to "cinik.c".
The worm also has backup functionality: if the worm is removed from the=
host,
then it tries and download a copy of the worm from a page on a Romanian
web site (under home.ro). We've been in touch with the administrators of
this site and the virus page has now been deleted.
This doesn't stop the worm from spreading though.
Another variant "Unlock" was found on Sunday the 22nd of September 2002.
This variant uses port 4156 instead of port 2002 and the filename
of the worm has been changed to "unlock.c".
As both Cinik and Unlock versions use the same vulnerability as
the original Slapper worm, most of the potential targets for them
have been updated and patched already to prevent infection.
LinuxMASK: Slapper 13 Eyl=FCl 2002/Cuma aksami
_______________________________________________
Sn meslektaslar
Slapper trojani linux serverlerinizin kontrol=FCn=FC uzaktan kumanda=
edilebilir
hale getiriyor. Isve=E7'te su anda 16 b=FCt=FCn d=FCnyada 6000 linux=
serverlerine
yayilmis durumda
Asagidaki sitede=F6nleme bilgisi
www.f-secure.com/virus/slapper/
REMOVAL
The worm is visible in the infected system as a process
".bugtraq". An infected system can be disinfected by terminating
the worm's process, and by removing the files created into temporary
directory:
/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq
Slm/ Kale CELIK
Kuzey Avrupa
i-position - Swedish Internet Positioning Technology
Radar Alert LEVEL 1
NAME: Slapper
ALIAS: Linux.Slapper-A, Linux.Slapper-Worm, Apache/mod_ssl Worm,=20
Slapper.source
For general information and geographic infection data on Linux.Slapper, see
the Global Slapper Worm Information Center at=
http://www.f-secure.com/slapper/
UPDATE (2002-09-23 07:30 GMT)
A new variant of Slapper known as "Cinik" was found on Monday the 23rd of=20
September 2002.
This is slightly modified variant of Slapper.A. It uses port 1978 instead
of port 2002 and the filename of the worm has been changed to "cinik.c".=
=20
The worm also has backup functionality: if the worm is removed from the=20
host, then it tries and download a copy of the worm from a page on a=20
Romanian web site (under home.ro). We've been in touch with the=20
administrators of this site and the virus page has now been deleted. This=20
doesn't stop the worm from spreading though.
Another variant "Unlock" was found on Sunday the 22nd of September 2002.
This variant uses port 4156 instead of port 2002 and the filename of the=20
worm has been changed to "unlock.c".
As both Cinik and Unlock versions use the same vulnerability as the=20
original Slapper worm, most of the potential targets for them have been=20
updated and patched already to prevent infection.
SLAPPER WORM
Slapper is a network worm that spreads on Linux machines by using a flaw=20
discovered in August 2002 in OpenSSL libraries. The worm was found in=20
Eastern Europe late on Friday September 13th 2002.
The worm affects Linux machines that are running Apache web server with=20
OpenSSL enabled. Apache installations cover more than 60% of public web=20
sites on the internet. It can be estimated that less than 10% of these=20
installations have enabled SSL services. SSL is most often used for online=
=20
commerce, banking and privacy applications.
Once a machine gets infected, the worm starts to spread to new systems. In=
=20
addition, the worm contains code to create a peer-to-peer attack network,=20
where infected machines can remotely be instructed to launch a wide variety=
=20
of Distributed Denial of Service (DDoS) attacks.
The worm works on Intel-based machines running Linux distributions from Red=
=20
Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be=20
enabled and OpenSSL version must be 0.96d or older.
Slapper is very similar to the Scalper Apache worm, which was found in June=
=20
2002. The basic theory of operation is similar to the first widespread web=
=20
worm, Code Red. Code Red infected more than 350000 websites running=20
Microsoft IIS in July 2001.
UPDATE (2002-09-16 09:50 GMT) So far, we've received direct reports of=20
infected machines from almost 100 different countries. See Global Slapper=20
Worm Information Center for details: http://www.f-secure.com/slapper/
UPDATE (2002-09-14 20:30 GMT)
So far, F-Secure has received either direct or second-hand reports of=20
infected machines from the following countries:
Norway
Lithuania
Romania
Portugal
Japan
The Netherlands
China
Turkey
India
USA
Taiwan
UK
VARIANT: Slapper.A
The worm infects the system by creating a uuencoded copy of itself to=20
/tmp/.uubugtraq. It decodes the file to /tmp/.bugtraq.c and uses gcc=20
compiler to produce an executable copy of itself as /tmp/.bugtraq, which is=
=20
then executed.
At this point, the worm starts to scan a predefined set of Class A networks=
=20
for vulnerable machines by connecting to the httpd server (port 80). If the=
=20
worm can connect, it will check the content of the "Server:" header from=20
the response. If the header contains the string "Apache", the worm will=20
attempt to connect to the SSL server (port 443), and attempt to infect the=
=20
target by using the OpenSSL vulnerability. Further details about the=20
vulnerability are available below.
The worm also contains a backdoor that listens to UDP port 2002, and can be=
=20
controlled remotely. The backdoor contains the ability to upload and=20
execute arbitrary programs in the infected host. It also contains the=20
functionality to perform various denial of service attacks. This backdoor=20
is very similar to the one within the Scalper worm.
REMOVAL
The worm is visible in the infected system as a process ".bugtraq". An=20
infected system can be disinfected by terminating the worm's process, and=20
by removing the files created into temporary directory:
/tmp/.uubugtraq
/tmp/.buqtraq.c
/tmp/.bugtraq
The Apache web server must be shut down as well and the OpenSSL libary must=
=20
be upgraded to a fixed version (0.9.6e or above) in order to avoid=20
reinfection.
Detection
Detection for F-Secure Anti-Virus was published on September 14th, 2002:
[FSAV_Database_Version]
Version=3D2002-09-14_01
Further information
The OpenSSL security advisory is available at
http://www.openssl.org/news/secadv_20020730.txt
CERT(r) advisory is available at:
http://www.cert.org/advisories/CA-2002-23.html
Security advisories released by Linux vendors:
Debian: http://www.debian.org/security/2002/dsa-136
Mandrake: http://www.mandrakelinux.com/en/security/2002/MDKSA-2002-046.php
RedHat: http://rhn.redhat.com/errata/RHSA-2002-155.html
SuSE: http://www.suse.com/de/security/2002_027_openssl.html
VARIANT: Slapper.B
ALIAS: Cinik
This is modified variant of Slapper.A.
When the host is infected, this variant uploads itself to /tmp/.cinik.uu,=20
decodes the source code to /tmp/.cinik.c and compiles itself to /tmp/.cinik.
This variant also creates a bash script into temporary directory,=20
/tmp/.cinik.go. The bash script is used to collect the system configuration=
=20
information that is sent propably to the virus writer via email. The script=
=20
also copies the compiled .cinik file to every directory where the user used=
=20
to run Apache server have write privilege.
This variant uses port 1978 instead of port 2002.
It also has a backup: if the worm source code is removed from the host, it=
=20
will download a copy of its source code from a Romanian web site, if the=20
infected system has wget utility installed. F-Secure is working on removing=
=20
of the worm from the web page.
The worm also adds itself to the crontab file causing that the worm will be=
=20
restarted hourly in case it has been terminated.
F-Secure Anti-Virus detects this variant already with the updates released=
=20
at September 14th, 2002:
[FSAV_Database_Version]
Version=3D2002-09-14_01
This variant can be removed from an infected host by removing the crontab=20
entry from the user that is used to run the Apache web server, terminating=
=20
the worm's process (.cinik) and removing the infected files from the host.=
=20
The Apache should also be shut down and appropriate updates should be=20
applied before it is restated.
VARIANT: Slapper.C
ALIAS: httpd, unlock
This is a slightly modified variant of Slapper.A. This variant uses a=20
different port - port 4156 instead of 2002 - and different file names. It=20
uploads itself as /tmp/.unlock.uu, decodes the file to /tmp/.unlock and=20
uses tar to decompress its content. Then the worm compiles the extracted=20
source code /tmp/.unlock.c to /tmp/httpd, starts it and removes all files=20
except /tmp/.unlock.
This variant also sends IP addresses of infected hosts via email propably=20
to the virus writer.
This variant can be removed from the host by shutting down Apache, killing=
=20
the worm's process (httpd) and deleting the file /tmp/.unlock. The=20
appropriate updates should be applied before the Apache is restarted.
[Analysis: Sami Rautiainen, Mikko Hypponen, Katrin Tocheva; F-Secure=20
Corporation; September 23th, 2002]
Anti-Virus Trials
F-Secure Radar
Virus Screen Shots
Disable VBS
Avoiding Computer Worms
Virus Glossary
ELF_SLAPPER.C
(see also: description and solution)
In the wild: No
Discovered: 23 hours, 28 minutes ago
(Sep. 19, 2002 12:00:00 AM GMT -0800)
Detection available: 23 hours, 28 minutes ago
(Sep. 19, 2002 12:00:00 AM GMT -0800)
Detected by pattern file #: 352 (CPR)
(still using 900-series pattern files?)
Detected by scan engine #: 5.200
Language:
English
Platform: Linux
Encrypted: No
Size of virus: 52,371 Bytes
Details:
This Linux Trojan is a remote exploit for the KEY_ARG overflow
in OpenSSL 0.9.6d and older. It gives an attacker remote shell,
with the priviledges of the server process - nobody when used
on Apache and root when used on other servers.
This malware includes an OpenSSL vulnerability scanner, which is
more reliable than the RUS-CERT scanner and has detailed vulnerability=20
analysis.
This Trojan works on the following architectures:
Gentoo (apache-1.3.24-r2)
Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
Slackware 7.0 (apache-1.3.26)
Slackware 8.1-stable (apache-1.3.26)
RedHat Linux 6.0 (apache-1.3.6-7)
RedHat Linux 6.1 (apache-1.3.9-4)
RedHat Linux 6.2 (apache-1.3.12-2)
RedHat Linux 7.0 (apache-1.3.12-25)
RedHat Linux 7.1 (apache-1.3.19-5)
RedHat Linux 7.2 (apache-1.3.20-16)
Redhat Linux 7.2 (apache-1.3.26 w/PHP)
RedHat Linux 7.3 (apache-1.3.23-11)
SuSE Linux 7.0 (apache-1.3.12)
SuSE Linux 7.1 (apache-1.3.17)
SuSE Linux 7.2 (apache-1.3.19)
SuSE Linux 7.3 (apache-1.3.20)
SuSE Linux 8.0 (apache-1.3.23-137)
SuSE Linux 8.0 (apache-1.3.23)
Mandrake Linux 7.1 (apache-1.3.14-2)
Mandrake Linux 8.0 (apache-1.3.19-3)
Mandrake Linux 8.1 (apache-1.3.20-3)
Mandrake Linux 8.2 (apache-1.3.23-4)
Description created: 17 hours, 55 minutes ago
(Sep. 19, 2002 5:33:20 AM GMT -0800)
Description updated: 17 hours, 51 minutes ago
(Sep. 19, 2002 5:37:26 AM GMT -0800)
-----------------------------------------------------------------------
Liste üyeliğiniz ile ilgili her türlü işlem için
http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-request@linux.org.tr' adresine,
"Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz.
-----------------------------------------------------------------------