Linux/Slapper
Analysis
- Virus attacks Apache servers using an exploit in
SSL
- Virus requires a host to have OpenSSL versions
prior to 0.9.6e in order to be a threat
- Virus scans a random set of IP addresses for HTTP
server response strings - if the string matches a
predefined table, the virus will attempt to infect
that system as a viable host - the virus attacks OpenSSL
on TCP port 443 using a buffer overflow technique
- Once the target system is compromised, the virus
copies its code to the target as UUEncoded source.
Then using tools located on the target system, the
virus decodes the source and complies it into a Linux
executable.
- Virus infection creates a root access to the infected
system, in effect granting remote administration access
to the host
- Virus opens UDP port 2002 and awaits commands from
a hacker
- Similarities exist between this virus and Linux/Scalper with respect to comments in the source code and infection method