Just a day after a second version of the Slapper worm was discovered, ISS has updated its advisories to report on Slapper.C, the third incarnation of this automated OpenSSL exploit. The most nefarious feature of this variant is that it attempts to overwrite every executable file on an infected system with copies of itself. It also adds each of these binaries to the crontab, so that any killed process will automatically restart. In addition, Slapper.C uses a different port for communicating on its P2P network – UDP 1978. Finally, the IP address, CPU info, and memory info of each infected system is e-mailed to cinik_worm@yahoo.com. So far, some 1,500 hosts have been compromised by this new variant, while Slapper.B has hit over 15,000 servers.

In related news, the e-mail address to which Slapper.B delivers infected systems’ IPs was traced to the Ukraine, where law enforcement has arrested a 21-year old male as a suspected author of the worm.

(N-Stalker Security Force)