Security experts divided on Slapper's threat

The Apache/mod_ssl, or "Slapper" worm that is fast infecting Web servers worldwide marks a new milestone in the evolution of computer worms, experts say: the creation of a peer-to-peer network by a worm for the purpose of conducting distributed denial of service (DDOS) attacks. But experts are divided on how big a threat Slapper poses to the Internet infrastructure as a whole.

The worm, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process is already believed to have infected over 13,000 Apache Web servers, according to Helsinki-based F-Secure Corp., a computer and network security company. The worm infects host machines by using the SSL vulnerability to transfer its malicious source code to a remote machine, then compiling that code, producing a new executable, according to an advisory posted on Carnegie Mellon's CERT Coordination Center Web page.

Once infected by the Slapper worm, Web servers effectively become hosts in a large peer-to-peer network of other infected servers. Infected servers scan for other Web hosts to infect, and coordinate with other infected hosts over the 2002/UDP (User Datagram Protocol) port.

It is the ability of Slapper to create its own network, experts said, that makes this worm different from its predecessors, such as last year's Code Red worm or this summer's Scalper worm.

"Slapper is new in the sense that (infected machines) keep in touch with each other using their own network," said Russ Cooper, Surgeon General of TruSecure Corp. of Herndon, Virginia.

"Code Red made no attempt to coordinate hosts. All the infected hosts had similar instructions--to initiate a DOS attack against a particular address--but it wasn't a coordinated attack."

Unlike Code Red, however, the current version of Slapper circulating the Internet does not appear to be programmed to carry out attacks.

"My understanding is that there is not code to send instructions. (Slapper hosts) can receive notifications from other hosts--send and receive packets--but they can't really talk to each other," said Cooper.

Still, Cooper cautions that future variants of the worm might include the ability to send and receive instructions, making sophisticated attacks possible.

"One thing the attacker may have planned was to get this little worm in first, find out what hosts (it infects), then send out a variant that lets me send out instructions. I know we had 10 versions of NIMDA and 3 (versions) of Code Red within a couple weeks."

Others experts, however, worry that even in its current form, the Slapper worm can still pose a considerable threat to organizations that are infected, and that might find themselves the target of attacks from Slapper hosts.

"One of the things that worries us is that, because this worm is delivered as source code, and because that source code is well documented, anybody getting a hold of the source can quickly learn how to exploit the virus itself," said Tony Magallanez, a systems engineer at F-Secure North America.

"For example, knowing that Slapper hosts are listening on port 2002, anybody who knows the identity of those hosts can connect to that port and deposit whatever files they want--perhaps a program that will launch a timed attack."

And, Magallanez notes, because Slapper targets Web servers that are designed for high volume traffic, any attack will leverage the ability of those servers in attacking its victim.

Even without launching an attack, the "chatter" between Slapper network hosts is already having a serious impact on corporate networks infected with the worm.

"There is very strong evidence that the chatter between compromised machines has already caused pain to several organizations independent of a DDOS attack," said Marty Lindner, Team Leader for Incident Handling at CERT, who attributes the slowdowns to poor design in the worm, rather than a purposeful attack.

But while setting up a peer network of infected devices is new behavior for a worm, experts point out that it is not a particularly new phenomenon in the larger world of computer security exploits.

"This is not the first time that we've seen something that produces a command-and-control network," said Linder. "There are machines that are compromised on a regular basis that get bots installed on them -- software that knows how to communicate with a master to produce a command-and-control network. That's not new. (Slapper) is just another method of delivery."

Security experts liken Slapper to IRC Trojan viruses, which use Internet Relay Chat (IRC) servers to commandeer and use remote machines connected to those servers using IRC clients.

TruSecure's Cooper finds echoes of Slapper in an earlier worm, Hybris. That worm, discovered in late 2000 and distributed as an e-mail attachment, was able to communicate with a remote Web site and news server, secretly downloading and installing plugins from those locations.

"This is nothing unusual," said CERT's Linder. "(Slapper) just took a bunch of things that we've seen before and stuck them together."

Experts agree that the comparatively small number of vulnerable systems will make the overall impact of Slapper pale in comparison to worms like Code Red or NIMDA.

"In the case of Code Red, the potential number of systems was huge: all the people out there running (Microsoft) Windows and (Internet Information Server). In this case, you need Apache (Web server) running a vulnerable version of SSL on one of the versions of Linux that Slapper has been architected to exploit," said Linder.