Virus

Linux/Slapper

Analysis

  • Virus attacks Apache servers using an exploit in SSL
  • Virus requires a host to have OpenSSL versions prior to 0.9.6e in order to be a threat
  • Virus scans a random set of IP addresses for HTTP server response strings - if the string matches a predefined table, the virus will attempt to infect that system as a viable host - the virus attacks OpenSSL on TCP port 443 using a buffer overflow technique
  • Once the target system is compromised, the virus copies its code to the target as UUEncoded source. Then using tools located on the target system, the virus decodes the source and complies it into a Linux executable.
  • Virus infection creates a root access to the infected system, in effect granting remote administration access to the host
  • Virus opens UDP port 2002 and awaits commands from a hacker
  • Similarities exist between this virus and Linux/Scalper with respect to comments in the source code and infection method