NEWS UPDATE ON SLAPPER VARIANTS
Two new variants of Slapper, "Cinik" and "Unlock" have been found over the weekend.
For more information, see the virus description.
As both Cinik and Unlock versions use the same vulnerability as the original
Slapper worm, most of the potential targets for them have been updated and
patched already to prevent infection.
The Slapper Linux worm was found on September 13th 2002 around 23:00 GMT. It quickly spread around the world.
Slapper spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.
The worm typically affects Linux machines that are running Apache web server with OpenSSL enabled. Apache installations cover more than 60% of public web sites in the internet. It can be estimated that less than 10% of these installations have enabled SSL services. By some estimates, there are over one million active OpenSSL installations in the public web. A very big part of these machines have not yet been patched to close this hole, and are thus prone to infection by the Slapper worm.
Once a machine gets infected by Slapper, it joins a massive peer-to-peer denial-of-service network, which can be controlled by the virus author. During the weekend, F-Secure engineers reverse engineered the peer-to-peer protocol that the worm uses. F-Secure now has a computer connected to the Slapper peer-to-peer network, and through this node the exact number of infected machines and their network names can be identified.
For instructions on how to clean a system infected with Slapper, consult the
While Slapper creates a peer-to-peer network of infected machines, we can at the same time observe how it spreads. F-Secure has infiltrated this network to monitor the spread of the worm. This gives us real-time statistics on how many machines are currently part of the attack network, among other important information.
A snapshot of the data on Sunday September 15th 2002 at 17:00 GMT, showed us that the
network had 5987 machines.
A new snapshot of the data on Monday September 16th 2002 at 14:45 GMT, showed us that the
network had 11249 machines - the amount roughly doubled in a day.
A later snapshot on Monday around 16:00 GMT showed 13892 machines - however, this data is quickly
becoming useless, as a very large number of these has already beeen cleaned (as we have sent
e-mail warnings to their adminstrators).
Much more interesting and relevant is the amount of currently active IP addresses in the peer-to-peer
network. This is illustrated by the graph below (updated automatically every hour).
The table below shows top-level domain distribution of all machines
that currently are or have ever been a member of the worm's p2p-ddos network created. It doesn't
show infected machines that are unable to connect to the p2p network (blocked by firewall). Also,
if a machine is removed from the network (taken offline or cleaned), it still shows on this list.
This means that the numbers on this list will never decrease: they are the total count of current
and previous unique machines in the network. This table was updated 2002-09-17 at 10:45 GMT.
F-Secure is working with various authorities to warn the administrators of the infected