Sophos says Slapper sorted simply

September 17, 2002 Sophos Press Release

Sophos, a world leader in corporate anti-virus protection, is advising system administrators that the Slapper worm is easily defeated.

Linux/Slapper-A breaks in to vulnerable systems by exploiting a buffer overflow bug in the OpenSSL module of the Apache web server on some Linux systems. If the buffer overflow is successful, the worm injects its own source code (written in C) onto the victim's computer. It then compiles the code into program form and executes the program it has just created.

Once running, Linux/Slapper-A opens up a backdoor which can be contacted via UDP port 2002. The backdoor is intended to allow a range of attacks to be initiated from infected computers, such as executing arbitrary commands, creating TCP floods, creating DNS floods and searching for email addresses on disk.

"Defeating the Slapper is actually pretty easy," says Paul Ducklin, Sophos's Head of Global Support. "There are a number of simple actions you can take which will prevent your servers from being infected by the worm or abused by its backdoor. These actions will improve your overall security, too."

Sophos's Safe Hex guidelines for internet servers are:

  • Don't keep copies of the C compiler on your production web servers. Build binaries in a protected environment and export them to your live systems. (Without the 'gcc' compiler, Slapper cannot infect your server.)

  • If you must have a compiler on your production servers, do not give unprivileged users execute rights to it. (Apache usually runs as 'nobody', which is the user ID Slapper gets when it tries to break in.)

  • If you have multi-purpose servers which offer a range of internet services, consider using 'chroot' to regulate the areas of the system which each server process can access. This helps restrict inappropriate interaction between server process in the event that one process is breached. (A 'chrooted' Slapper can't scan your whole hard disk for email address data.)

  • Don't open ports in your firewall which you are not going to use. (If you do not use SSL, then blocking port 443 prevents Slapper attacking. Blocking port 2002 prevents Slapper's backdoor from being contacted.)

  • Don't assume that all processes running on your server are supposed to be there. (Slapper runs as a process called '.bugtraq'. Kill the process and you stop that instance of the worm.)

  • Keep up-to-date with security advisories and patches. If there are vulnerabilities in your servers which the "Good Guys" know about, be certain that the "Bad Guys" know about them, too. (Slapper can't break in if you update the OpenSSL module which your Apache server is using.)

"The combination relied upon by Slapper is: Linux, Apache, OpenSSL and gcc," added Ducklin. "Take any one of these out of the equation and the worm will not replicate on your server. But don't rest on your laurels if you aren't vulnerable this time. Take the opportunity to protect yourself for the future."