virus

Arrest for Slapper author

But a new variant is already out there

vnunet.com, 24 Sep 2002

A suspect has been arrested on suspicion of authoring the Slapper worm.

But although the threat of the worm seems to have been shortlived, a new variant is already set to take up where its predecessor left off.

David Morgan, senior consultant for Internet Security Systems (ISS), revealed the news of the arrest.

"Slapper mailed the addresses of infected machines back to an email address in the Ukraine," he said. "This email was checked from a traceable location and, as a result, a 21-year-old male has been arrested by the authorities."

Meanwhile, the Internet Storm Centre (ISC), run by the Sans Institute, has declared the internet back on green alert or situation normal after the worm, which preyed on vulnerable Apache web servers throughout last week, appeared to be dying out.

With around 6,000 machines infected, the ISC last week declared a yellow alert. But Slapper's threat petered out before the worm hit anything like Code Red or Nimda proportions, which affected 400,000 and 86,000 servers respectively.

Although the ISC's 'most attacked ports' chart no longer features Slapper in its Top 10 a variant, Slapper.B, has been spotted in the wild.

Slapper.B has several subtle differences, but is for the most part an updated version of its predecessor.

Both worms attempt to exploit a known vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants also carry the same payload, a password-protected backdoor and denial of service (DoS) capabilities.

ISS's Morgan said that with the new variant on the loose his company had calculated that about 10,000 servers were probably now infected, and that the network was probably going to be used for DoS attacks. He added that it was unlikely the original author created the second worm.

"It was significant that source code for the original Slapper was distributed within the computer underground immediately after the worm was detected in the wild," he said.

"The code has probably been borrowed," he added

Some security watchers have suggested that the original worm was built on the blueprint for a concept attack known as peer-to-peer UDP Distributed DoS (PUD).

Morgan said that this was possible, since the code would make a good blueprint for new variants and could be tweaked to attack other operating systems.