Threat Encyclopedia

ELF_SLAPPER.C

Malware type: Elf Executable

Aliases: Net-Worm.Linux.Slapper.a (Kaspersky), Linux.Slapper.Worm (Symantec), Worm/Net.Linux.A.3 (Avira), Linux/Slapper-B (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Linux

Encrypted: No

Overall risk rating:

Description: 
This Linux worm is a variant of ELF_SLAPPER.GEN. It uses the SSL exploit in Apache Web server to gain access to the host computer. Once it has infiltrated the host computer, it can launch a DDoS attack on a specific host.

*Consult ELF_SLAPPER.GEN for the specific versions of these SSL and Apache exploit and the details of the DDoS operation.

Compared with ELF_SLAPPER.GEN, this variant uses a different port number to communicate and different filenames under which it copies itself.

This worm also mails information on the compromised machine to a specific email address. It has a backdoor component that listens on port number 1052 for files that it downloads and executes.

For additional information about this threat, see:

Description created: Sep. 24, 2002 5:02:44 AM GMT -0800


TECHNICAL DETAILS


Size of malware: .unlock.c (72,772 Bytes)
.update.c (2,875 Bytes)

Initial samples received on: Sep 24, 2002

Variant ofELF_SLAPPER.GEN

Details:
This worm is a variant of ELF_SLAPPER.GEN. It launches a Distributed Denial of Service (DDoS) attack. It uses the User Data Protocol (UDP) to execute the attack, and takes advantage of buffer overflow vulnerability in OpenSSL 0.9.6d, 0.9.7-beta2 and earlier versions.

This variant has the following components (note the "." in the filenames):

  • .UNLOCK.C (72,772 Bytes)
  • .UPDATE.C (2,875 Bytes)

.UNLOCK.C is the worm C source code. It is very similar to the ELF_SLAPPER.GEN source code, differing only in the filename used, which is .unlock instead of .bugtraq. It also has the ability to alert the virus author by sending system information through email. The email details are as follows:

Mail server: freemail.ukr.net
Recipient: aion@ukr.net
Message: <HOST_I.P. and HOST_NAME>

The file .UPDATE.C is a C source code for the backdoor component of this worm. The backdoor requires a password in order to process the command. It only downloads the program passed to it by its client and uses the shell to execute it, and then exits. It listens on port number 1052 and requires the password �aion1981� before it processes the command.

Unlike ELF_SLAPPER.GEN, this variant uses the default port number 4156 instead of port 2002 to listen for commands for its DDoS operation.

The following text string can be found in this worm source code:

code by aion (aion@ukr.net)


SOLUTION


Minimum scan engine version needed: 5.450

Pattern file needed: 1.352.30

Pattern release date: Sep 24, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

  1. Shut down the Apache Web service.
  2. Scan your system with Trend Micro antivirus and delete all files detected as ELF_SLAPPER.C. To do this, Trend Micro customers must download the latest pattern file and scan their system.
  3. Use any available process viewer program to view and terminate the .unlock* process.
Note: In order to avoid getting infected by ELF_SLAPPER.C, users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on