Slapper variants pose minor threat

Two variants of the Slapper worm have emerged but they should pose a minor threat. The more major threat is the availability of the worm's source code, which could be used by virus writers for some time to come.

Two variants of the Slapper worm have surfaced thanks to its source code being widely distributed, virus experts say.

The two variants of Slapper, dubbed Slapper.B and Slapper.C, were discovered early this week. The variants are also called "Cinik" and "Unlock," after the file names the worms employ.


"Slapper worm exploits OpenSSL hole, sets up P2P network"

"OpenSSL overflowing with buffer problems"

CERT advisory on the worm (includes links to OpenSSL patches)

Feedback on this story? Send your comments to News Writer Edward Hurley

The new worms, however, don't pose much of a security risk because they exploit the same vulnerability as the original Slapper worm. Users who employed workarounds or patched their systems are safe from the variants. Yet the variants could signify the beginning of new worms spawned from the Slapper source code.

The original worm -- Slapper.A, as it's commonly known -- reared its head a week ago, targeting a vulnerability in versions of OpenSSL running on Linux-based Apache Web servers. The worm takes advantage of a buffer overflow vulnerability in the open-source version of Secure Sockets Layer, a method for creating secured HTTP connections.

After infecting a machine, the worm tries to connect to a peer-to-peer network and could enable a denial of service attack.

The new worms technically aren't more hazardous than the original, said Dan Ingevaldson, team lead for Atlanta-based Internet Security Systems' X-Force R&D. Bugs weren't fixed in the code. Significant new functionality wasn't added.

Though it's impossible to tell, it's unlikely that the worm variants were released by the author of Slapper.A, said Mikael Albrecht, product manager for antivirus solutions at Helsinki, Finland-based F-Secure, since "only minor adjustments were made before being released again."

The variants, however, use different ports to connect to the back door of the system created by the original worm. Slapper.B uses port 1978 to connect to the back door rather than port 2002, which Slapper.A used. Slapper.C uses port 4156.

They also include a "mailme()" function, which e-mails the IP address and hostname of the infected system back to an e-mail address most likely controlled by the writer.

The mere existence of Slapper.B and Slapper.C is not as worrisome as the fact that someone reused the source code so quickly. Ingevaldson predicts other worms will be written using the Slapper code and will perhaps take advantage of other vulnerabilities . The Slapper's ability to create a peer-to-peer network combined with new automatic attack tools could make for a dangerous combination, he said.

Albrecht agrees that it's very likely that the code for Slapper will resurface in some form.

"We saw the same thing in '95 when macro viruses began appearing. The source code was available, so we saw a huge amount of copycats," he said.

Moreover, Ingevaldson rejects the argument that having the source code available will make fighting future worms easier.

"Reverse engineering worms is pretty easy. We can do it quickly," he said. "The dangers of having the source code available severely outweigh any potential benefits."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.