F-Secure: Be Sure
F-Secure Logo - Be Sure                        

Japanese


Global Slapper Worm Information Center

Updated: Monday 26th of September, 2002 13:20 GMT

  
F-Secure Anti-Virus for Linux
  • Buy Workstation version
  • Buy Server version
  • Documentation

    F-Secure Anti-Virus for Windows

  • Buy Online
  • Try Before You Buy

    Additional Resources

  • Virus Description
  • Press Release (9/14)
  • Press Release (9/15)
  • Download Updates
     

  • NEWS UPDATE ON SLAPPER VARIANTS

    Two new variants of Slapper, "Cinik" and "Unlock" have been found over the weekend.

    For more information, see the virus description.

    As both Cinik and Unlock versions use the same vulnerability as the original Slapper worm, most of the potential targets for them have been updated and patched already to prevent infection.


    The Slapper Linux worm was found on September 13th 2002 around 23:00 GMT. It quickly spread around the world.

    Slapper spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.

    The worm typically affects Linux machines that are running Apache web server with OpenSSL enabled. Apache installations cover more than 60% of public web sites in the internet. It can be estimated that less than 10% of these installations have enabled SSL services. By some estimates, there are over one million active OpenSSL installations in the public web. A very big part of these machines have not yet been patched to close this hole, and are thus prone to infection by the Slapper worm.

    Once a machine gets infected by Slapper, it joins a massive peer-to-peer denial-of-service network, which can be controlled by the virus author. During the weekend, F-Secure engineers reverse engineered the peer-to-peer protocol that the worm uses. F-Secure now has a computer connected to the Slapper peer-to-peer network, and through this node the exact number of infected machines and their network names can be identified.

    RESOURCES Click here to see the animation
    Click on the image
    to see the animation

    DISINFECTION

    For instructions on how to clean a system infected with Slapper, consult the Virus Description.

    STATISTICS

    While Slapper creates a peer-to-peer network of infected machines, we can at the same time observe how it spreads. F-Secure has infiltrated this network to monitor the spread of the worm. This gives us real-time statistics on how many machines are currently part of the attack network, among other important information.

    A snapshot of the data on Sunday September 15th 2002 at 17:00 GMT, showed us that the network had 5987 machines.

    A new snapshot of the data on Monday September 16th 2002 at 14:45 GMT, showed us that the network had 11249 machines - the amount roughly doubled in a day.

    A later snapshot on Monday around 16:00 GMT showed 13892 machines - however, this data is quickly becoming useless, as a very large number of these has already beeen cleaned (as we have sent e-mail warnings to their adminstrators).

    Much more interesting and relevant is the amount of currently active IP addresses in the peer-to-peer network. This is illustrated by the graph below (updated automatically every hour).

    Active infected hosts

    Amount of currently active hosts in the worms' networks

    Note: Time is in Helsinki's time zone. Standard time zone, UTC/GMT +2.
    Daylight saving time-adjustment: +1, current time zone offset, GMT +3

    The drop that is visible in the graph on Wednesday 18th indicates that people are running automated scripts that try to kill the worm process from infected servers. However, the hosts seem to get re-infected after a while.

    DOMAIN DISTRIBUTION

    The table below shows top-level domain distribution of all machines that currently are or have ever been a member of the worm's p2p-ddos network created. It doesn't show infected machines that are unable to connect to the p2p network (blocked by firewall). Also, if a machine is removed from the network (taken offline or cleaned), it still shows on this list. This means that the numbers on this list will never decrease: they are the total count of current and previous unique machines in the network. This table was updated 2002-09-17 at 10:45 GMT.

    Top level domainNumber of hosts
    numeric4396
    net2319
    com1720
    edu532
    jp519
    it366
    tw343
    pl294
    ca203
    de191
    au165
    nl164
    ro143
    br136
    mx127
    es124
    kr116
    org115
    uk114
    fr112
    cz97
    ru83
    fi82
    ar77
    cn74
    at63
    dk62
    se55
    hk55
    hu54
    ch49
    th48
    cl47
    za46
    pt42
    be42
    gb41
    us39
    no38
    in36
    uy34
    sk33
    ua26
    ph25
    ir25
    ee24
    id22
    gr22
    bg21
    tr20
    co19
    mil15
    lv15
    il14
    bo14
    sg13
    gov13
    ie11
    is9
    pe8
    my8
    hr8
    yu7
    si7
    pk7
    nz7
    gt7
    ec7
    biz7
    info6
    tv5
    pa5
    ni5
    cc5
    vn4
    to4
    sv4
    su4
    np4
    lt4
    cu4
    ws3
    ve3
    sa3
    py3
    lb3
    ke3
    by3
    tz2
    mz2
    mg2
    md2
    ma2
    ly2
    eu2
    eg2
    zw1
    vi1
    vg1
    tn1
    tg1
    sn1
    nu1
    mu1
    mn1
    mk1
    mc1
    lu1
    lk1
    kw1
    cx1
    cr1
    ci1
    bn1
    ba1
    am1
    ae1
    ac1
    TOTAL 13892

    This is the total amount of current and past machines in the network.

    F-Secure is working with various authorities to warn the administrators of the infected machines.

    LINKS

    CONTACT

      Description Index   

      Security Info
     


    Privacy Policy
    Legal Notices
    Contact Us