Results 1 to 3 of 3

Hybrid View

  1. #1
    Join Date
    Feb 2002
    Location
    The Netherlands
    Posts
    308

    * Propagation of "Slapper" OpenSSL/Apache Worm Variant

    Alerts
    Internet Security Systems Security Alert
    September 22, 2002

    Propagation of "Slapper" OpenSSL/Apache Worm Variant

    Synopsis:

    ISS X-Force has learned of the existence of a variant of the "Slapper" (also
    known as Slapper.A) worm that X-Force documented in a X-Force Security Alert
    on September 14, 2002. The new variant, named Slapper.B, has several subtle
    differences from the first Slapper worm, but it is for the most part an
    updated version of its predecessor. Both versions carry the same attack
    payload and attempt to exploit a previously disclosed vulnerability in the
    Secure Sockets Layer 2.0 (SSLv2) handshake process. Slapper.A and Slapper.B
    both target the Linux operating system running the Apache Web server with
    OpenSSL.

    Impact:

    The impact of Slapper.B is the same as that of Slapper.A. Both worms carry
    backdoor and distributed denial of service (DDoS) functionality. X-Force noted
    that it was significant that source code for Slapper.A was distributed within
    the computer underground immediately after the worm was detected in the wild.
    Widespread access to the source code has no doubt contributed to the spread of
    Slapper variants and X-Force predicts that Slapper will be used as a
    development platform for future variants. Slapper.B has infected more than
    9500 hosts by September 22, 2002, 16:00 (UTC-4).

    Affected Versions:

    OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1

    Current versions of the Slapper worm only target the following Linux
    distributions. The worm may trigger unpredictable results on additional Unix
    platforms. Other Unix platforms, as well as Apache with OpenSSL for Windows,
    may also be vulnerable to the OpenSSL vulnerability.

    Debian Linux, Apache 1.3.26
    Red Hat Linux, Apache 1.3.6
    Red Hat Linux, Apache 1.3.9
    Red Hat Linux, Apache 1.3.12
    Red Hat Linux, Apache 1.3.19
    Red Hat Linux, Apache 1.3.20
    Red Hat Linux, Apache 1.3.23
    SuSE Linux, Apache 1.3.12
    SuSE Linux, Apache 1.3.17
    SuSE Linux, Apache 1.3.19
    SuSE Linux, Apache 1.3.20
    SuSE Linux, Apache 1.3.23
    Mandrake Linux, Apache 1.3.14
    Mandrake Linux, Apache 1.3.19
    Mandrake Linux, Apache 1.3.20
    Mandrake Linux, Apache 1.3.23
    Slackware Linux, Apache 1.3.26
    Gentoo Linux (Apache version undetermined)

    Description:

    Please refer to the X-Force Security Alert titled, "Slapper OpenSSL/Apache
    Worm Propagation" for general information about the Slapper worm:
    http://bvlive01.iss.net/issEn/delive....jsp?oid=21130

    The Slapper.B worm has several new features and modifications from the
    previous version. These changes are outlined below.

    Peer-to-Peer Network

    Slapper.B creates a peer-to-peer network of compromised hosts that communicate
    on UDP port 4156.

    New Functions

    Slapper.B has a new function called, "mailme()" that sends an email to
    aion@ukr.net containing the IP address and hostname of the infected computer
    and, the hostname of the server it is linked to.

    Slapper.B contains a new interactive backdoor function. Slapper.A allowed
    attackers to execute commands via the peer-to-peer network. Slapper.B has a
    supplemental backdoor that listens on TCP port 1052. Attackers must supply a
    password before Slapper.B grants an interactive command shell.

    Filenames and Process Names

    /tmp/httpd - Slapper.B worm binary
    /tmp/update - Slapper.B backdoor process
    /tmp/.unlock - Gzip compressed file with worm and backdoor source

    Slapper.B changes its process name to "httpd", to appear the same as running
    Apache Web server process.

    Recommendations:

    RealSecure 7.0 customers can configure a user-defined event to detect
    exploit attempts.

    alert tcp any any -> any 443 (content: "TERM=xterm"; content:
    "exec bash"; nocase; msg: "XTerm invoked from SSL connection"

    RealSecure Server Sensor customers can configure a user-defined event to
    detect exploitation attempts. Server Sensor customers should consider creating
    a rule to detect the string, "SSL handshake failed" within Apache error log
    file.

    RealSecure customers can also follow the following steps to configure a
    user-defined event to detect the email that Slapper.B sends:

    From the Sensor window:
    1. Right-click on the sensor and select "Properties".
    2. Choose a policy you want to use, and click "Customize".
    3. Select the "User Defined Events" tab.
    4. Click "Add" on the right hand side of the dialog box.
    5. Create an User Defined Event.
    6. Type in a name of the event, such as "Slapper.B email".
    7. In the "Context" field for each event, select "Email_Receiver".
    In the "String" field, type the following for the event:
    aion@ukr.net
    8. Click "Save", and then "Close".
    9. Click "Apply to Sensor" or "Apply to Engine".

    RealSecure Server Sensor customers can configure a user-defined event to
    detect exploitation attempts. Server Sensor customers should consider creating
    a rule to detect the string, "SSL handshake failed" within Apache error log
    file.

    For more information on RealSecure 7.0 TRONS events, search for "trons" in the
    ISS Knowledgebase: http://www.iss.net/support/knowledgebase/.

    ISS X-Force has provided detection and assessment support for the Slapper worm
    and the OpenSSL vulnerability in X-Press Updates for RealSecure Network Sensor
    and Internet Scanner. These XPUs are available now from the ISS Download
    Center:
    http://www.iss.net/download

    Any users with installations of OpenSSL up to and including 0.9.6d or
    0.9.7beta1 are encouraged to immediately upgrade to the latest version of
    OpenSSL (currently 0.9.6g).

    Administrators should consider one or more of the following temporary
    workaround solutions to block and/or disable the propagation of the worm:

    1) Disabling mod_ssl HTTPS connections completely if unneeded:

    Comment the following line in "httpd.conf":

    Listen 443

    #Listen 443

    2) Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite
    directive in httpd.conf.

    If it is commented out, uncomment it.

    Append ":!SSLv2" to the end of the directive, and remove any portion which may
    enable SSLv2 such as: ":+SSLv2".

    Ensure that other ciphers are correctly configured. For these changes to take
    effect, the server must be restarted.

    3) Administrators should consider disabling all compilers on production or
    externally facing systems. While this is workaround may not block any future
    variants, it will block propagation of this worm. Disabling compilers on
    production systems is a good general security practice.

    The Slapper.B worm attempts to disguise itself as a running "httpd" process,
    so disabling it won't be as straightforward as disinfecting Slapper.A. To
    disable the worm on an infected host, administrators must use the netstat,
    ps, and pstree commands to locate suspect processes. Consider the following
    commands below to locate potential infections:

    1. Locate and kill the worm process.

    netstat -anp | grep 4156 | grep -i UDP
    pstree -p
    kill -9

    2. Locate and kill the backdoor process.

    ps -aux | grep update | grep apache
    pstree -p
    kill -9

    Additional Information:

    OpenSSL Project
    http://www.openssl.org

    ISS X-Force Database
    http://www.iss.net/security_center/static/9714.php
    http://www.iss.net/security_center/static/10098.php

    Credits:

    ISS X-Force would like to thank Cristine Hoepers of the Brazilian
    Network Information Center for her assistance.
    ______

    About Internet Security Systems (ISS)
    Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
    pioneer and world leader in software and services that protect critical
    online resources from an ever-changing spectrum of threats and misuse.
    Internet Security Systems is headquartered in Atlanta, GA, with
    additional operations throughout the Americas, Asia, Australia, Europe
    and the Middle East.

    Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
    worldwide.

    Permission is hereby granted for the electronic redistribution of this
    document. It is not to be edited or altered in any way without the
    express written consent of the Internet Security Systems X-Force. If you
    wish to reprint the whole or any part of this document in any other
    medium excluding electronic media, please email xforce@iss.net for
    permission.

    Disclaimer: The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties, implied or otherwise, with regard to
    this information or its use. Any use of this information is at the
    user's risk. In no event shall the author/distributor (Internet Security
    Systems X-Force) be held liable for any damages whatsoever arising out
    of or in connection with the use or spread of this information.

    X-Force PGP Key available on MIT's PGP key server and PGP.com's key
    server, as well as at http://www.iss.net/security_center/sensitive.php

    Please send suggestions, updates, and comments to: X-Force
    xforce@iss.net of Internet Security Systems, Inc.
    [B]
    http://www.HaVa.nl
    Reliable hosting and Colocation

  2. #2
    Join Date
    Dec 2001
    Location
    gulf of mexico
    Posts
    52
    hi.. how do you tell if you could be infected?

    tia.

    regards

    what command should we run in ssh?

    ciao

    oh yeah.. We do not use SSL at al.. and do not have anything from openSSL installed..

    still would like to check it out..
    thanks
    Last edited by gargonzo; 09-27-2002 at 04:15 PM.

  3. #3
    Join Date
    Dec 2001
    Location
    gulf of mexico
    Posts
    52
    locate bugtraq.c

    find / -name .bugtraq
    find / -name bugtraq.c


    Originally posted by Cyborg
    I got this information from the sun forum.
    For Raq owners!


    patch is in QA right now. I don't have a timeframe for release, but I have been told "real soon"
    In the meantime.....
    This is not an official Sun patch or workaround. It works for Tony

    Telnet or ssh into your server & become root
    edit httpd.conf & append to the end of it the following string
    ServerTokens ProductOnly

    then cd /tmp
    touch .bugtraq.c
    ls -al (make sure .bugtraq.c is a 0 byte file)
    chmod 000 .bugtraq.c
    chattr +i .bugtraq.c

    /etc/rc.d/init.d/httpd restart

    Tony
    Sun Microsystems

    all the above shamlessly cont+c --cont+v from rackshack.net forums.. thanks to all who posted there,.,

    ciao

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •