ISS Security Brief: Propagation of "Slapper" OpenSSL/Apache Worm Variant

From: X-Force (
Date: 09/22/02

Date: Sun, 22 Sep 2002 17:28:16 -0400 (EDT)
From: X-Force <>

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to Contact for help with any problems!


Internet Security Systems Security Brief
September 22, 2002
Propagation of "Slapper" OpenSSL/Apache Worm Variant
ISS X-Force has learned of the existence of a variant of the "Slapper" (also
known as Slapper.A) worm that X-Force documented in a X-Force Security Alert
on September 14, 2002. The new variant, named Slapper.B, has several subtle
differences from the first Slapper worm, but it is for the most part an
updated version of its predecessor. Both versions carry the same attack
payload and attempt to exploit a previously disclosed vulnerability in the
Secure Sockets Layer 2.0 (SSLv2) handshake process. Slapper.A and Slapper.B
both target the Linux operating system running the Apache Web server with

The impact of Slapper.B is the same as that of Slapper.A. Both worms carry
backdoor and distributed denial of service (DDoS) functionality. X-Force noted
that it was significant that source code for Slapper.A was distributed within
the computer underground immediately after the worm was detected in the wild.
Widespread access to the source code has no doubt contributed to the spread of
Slapper variants and X-Force predicts that Slapper will be used as a
development platform for future variants. Slapper.B has infected more than
9500 hosts by September 22, 2002, 16:00 (UTC-4).

Affected Versions:

OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1

Current versions of the Slapper worm only target the following Linux
distributions. The worm may trigger unpredictable results on additional Unix
platforms. Other Unix platforms, as well as Apache with OpenSSL for Windows,
may also be vulnerable to the OpenSSL vulnerability.

Debian Linux, Apache 1.3.26
Red Hat Linux, Apache 1.3.6
Red Hat Linux, Apache 1.3.9
Red Hat Linux, Apache 1.3.12
Red Hat Linux, Apache 1.3.19
Red Hat Linux, Apache 1.3.20
Red Hat Linux, Apache 1.3.23
SuSE Linux, Apache 1.3.12
SuSE Linux, Apache 1.3.17
SuSE Linux, Apache 1.3.19
SuSE Linux, Apache 1.3.20
SuSE Linux, Apache 1.3.23
Mandrake Linux, Apache 1.3.14
Mandrake Linux, Apache 1.3.19
Mandrake Linux, Apache 1.3.20
Mandrake Linux, Apache 1.3.23
Slackware Linux, Apache 1.3.26
Gentoo Linux (Apache version undetermined)

For the complete ISS X-Force Security Alert, please visit:

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key
server, as well as at

Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.

Version: 2.6.2