F-Secure Warns of "Slapper" Worm That Can Cause Denial-of-Service Attacks on Linux Systems

Business Wire, Sept 14, 2002

Business/Technology Editors

SAN JOSE, Calif.--(BUSINESS WIRE)--Sept. 14, 2002

F-Secure has issued a "level 2" alert for a network worm that is spreading on computers running the Linux system.

The worm, called "Slapper," uses a flaw discovered in August in OpenSSL libraries, and was found in Eastern Europe late on Friday, Sept. 13. F-Secure said the worm is predicted to rapidly spread worldwide.

Also known as Linux.Slapper-A, Linux.Slapper-Worm, Apache/mod_ssl Worm, and Slapper.source, the worm typically affects Linux machines that are running Apache web server with SSL enabled. Apache installations cover more than 60% of public web sites in the Internet, although some estimate that fewer than 10% of those have enabled SSL services. SSL is most often used for online commerce, banking and privacy applications.

Once a machine gets infected, the worm starts to spread to new systems. In addition, the worm contains code to create a peer-to-peer attack network, where infected machines can remotely be instructed to launch a wide variety of Distributed Denial of Service (DDoS) attacks.

The worm works on Intel-based machines running Linux distributions from Red Hat, SuSE, Mandrake, Slackware or Debian. Apache and OpenSSL must be enabled and OpenSSL version must be 0.96d or older.

Slapper is very similar to the Scalper Apache worm, which was found in June 2002. The basic theory of operation is similar to the first widespread web worm, Code Red. Code Red infected more than 350000 websites running Microsoft IIS in July 2001.

Updates on Slapper can be found on the F-Secure website, www.F-Secure.com, and more specifically at http://www.f-secure.com/v-descs/slapper.shtml.>

COPYRIGHT 2002 Business Wire

COPYRIGHT 2008 Gale, Cengage Learning