Malware type: Elf Executable

Aliases: Net-Worm.Linux.Slapper.a (Kaspersky), Linux/Slapper.worm.a (McAfee), Linux.Slapper.Worm (Symantec), Worm/Net.Linux.A.5 (Avira), Linux/Slapper-A (Sophos), Worm:Linux/Slapper (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Unix/Solaris/Linux/BSD compatible systems

Encrypted: No

Overall risk rating:

This Linux worm launches a distributed denial of service (DDOS) attack. It uses the User Data Protocol (UDP) to execute the attack, and takes advantage of a buffer overflow vulnerability in OpenSSL 0.9.6d, 0.9.7-beta2 and earlier versions.

For additional information about this threat, see:

Description created: Sep. 14, 2002 7:00:52 AM GMT -0800
Description updated: Sep. 16, 2002 7:27:08 PM GMT -0800


Size of malware: 70,052 Bytes

Initial samples received on: Sep 14, 2002

Payload 1: Launches Distributed Denial of Service (DDoS) attack

Trigger condition 1: Upon execution

Upon execution, this Linux worm connects to a remote machine using the UDP protocol on a specified port. UDP is a protocol that allows connections even to unstable machines, since it does not require error-checking.

This worm uses the buffer overflow vulnerability in OpenSSL 0.9.6d and earlier verions, and 0.9.7-beta2 and earlier versions. It allows remote users to execute arbitrary code via a large client master key in SSL2 or a large session ID in SSL3. This exploit appears to determine how this worm attacks a host based on the information returned by the server on itself and its version.

This worm links by providing each machine with a list of available machines. Using a technique called broadcast segmentation combined with TCP-like functionality, this worm ensures that another machine on the network receives the broadcast packet, which it then segments again. After this, it recreates the packet and sends it to other hosts.

This worm attempts to connect to Port 80. Once connected, it sends an invalid GET request to a server to identify whether the machine is an Apache system. Once it finds an Apache system, this worm attempts to connect to port 443 and sends the exploit code to the listening SSL service on the remote system.

This Linux worm arrives on the target system as a source code with the filename ".bugtraq.c". It uses a Linux shell code exploit that runs only on Intel systems. In order for the code to execute properly, it requires the presence of the shell command /bin/sh. It recompiles itself on each new system.

The binary code generated after compilation is executed with an IP address as a parameter. This IP address is the address of the attacking machine and is used to create a network of worm infected systems, which would launch the destributed denial of service attack.


Minimum scan engine version needed: 5.200

Pattern file needed: 1.350.00

Pattern release date: Sep 14, 2002

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Scan your system with Trend Micro antivirus and delete all files detected as ELF_SLAPPER.A. To do this, Trend Micro customers must download the latest pattern file and scan their system.

NOTE: This malware exploits certain vulnerabilities in OPENSSL. An upgrade to OPENSSL 0.9.6e, 0.9.7beta3, or later versions is strongly recommneded.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.