Sophos, a world leader in corporate anti-virus protection, is
advising system administrators that the Slapper worm is easily
defeated.
Linux/Slapper-A breaks
in to vulnerable systems by exploiting a buffer overflow bug in the
OpenSSL module of the Apache web server on some Linux systems. If
the buffer overflow is successful, the worm injects its own source
code (written in C) onto the victim's computer. It then compiles
the code into program form and executes the program it has just
created.
Once running, Linux/Slapper-A opens up a backdoor which can be
contacted via UDP port 2002. The backdoor is intended to allow a
range of attacks to be initiated from infected computers, such as
executing arbitrary commands, creating TCP floods, creating DNS
floods and searching for email addresses on disk.
"Defeating the Slapper is actually pretty easy," says Paul
Ducklin, Sophos's Head of Global Support. "There are a number of
simple actions you can take which will prevent your servers from
being infected by the worm or abused by its backdoor. These actions
will improve your overall security, too."
Sophos's Safe Hex guidelines for internet servers are:
Don't keep copies of the C compiler on your production web
servers. Build binaries in a protected environment and export them
to your live systems. (Without the 'gcc' compiler, Slapper cannot
infect your server.)
If you must have a compiler on your production servers, do not
give unprivileged users execute rights to it. (Apache usually runs
as 'nobody', which is the user ID Slapper gets when it tries to
break in.)
If you have multi-purpose servers which offer a range of
internet services, consider using 'chroot' to regulate the areas of
the system which each server process can access. This helps
restrict inappropriate interaction between server process in the
event that one process is breached. (A 'chrooted' Slapper can't
scan your whole hard disk for email address data.)
Don't open ports in your firewall which you are not going to
use. (If you do not use SSL, then blocking port 443 prevents
Slapper attacking. Blocking port 2002 prevents Slapper's backdoor
from being contacted.)
Don't assume that all processes running on your server are
supposed to be there. (Slapper runs as a process called '.bugtraq'.
Kill the process and you stop that instance of the worm.)
Keep up-to-date with security advisories and patches. If there
are vulnerabilities in your servers which the "Good Guys" know
about, be certain that the "Bad Guys" know about them, too.
(Slapper can't break in if you update the OpenSSL module which your
Apache server is using.)
"The combination relied upon by Slapper is: Linux, Apache,
OpenSSL and gcc," added Ducklin. "Take any one of these out of the
equation and the worm will not replicate on your server. But don't
rest on your laurels if you aren't vulnerable this time. Take the
opportunity to protect yourself for the future."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.