More on the OpenSSL 'Slapper' Worm

By N-Stalker Team on September 16, 2002

Symantec has released an advisory for the emerging OpenSSL exploit worm, which has been given the name “Slapper”. It attacks servers by sending a malformed GET request to port 443 to trigger a buffer overflow and obtain a shell. The worm then sends over its own UUencoded source code in a file named .bugtraq.c to the /tmp directory; it is subsequently decoded, compiled with gcc, and executed. What makes Slapper particularly unique is that it builds a peer to peer network of infected systems, presumeably for a distributed denial of service attack. It also randomly scans blocks of IPs for other vulnerable servers to infect, and listens on UDP port 2002 for commands.

We originally claimed that OpenSSL 0.9.6e and later have been patched against this vulnerability, but an alert from Incidents.org indicates that even current versions of the software may be susceptible, and offers instructions for disabling SSLv2 as a precaution. The source code for the worm is also available.

(N-Stalker Security Force)

This entry was posted in Previous Security Advisories. Bookmark the permalink.