Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] Linux/Slapper.worm
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Wed, 18 Sep 2002 12:13:25 +0200
  • Message-id: <3D8851C5.3A64172D@xxxxxxx>
Hey,

FYI (and for all those who aren't subscribed to Bugtraq), here's a link
to an excellent analysis of the Modap/Slapper OpenSSL worm (in acrobat
reader format):

http://analyzer.securityfocus.com/alerts/020916-Analysis-Modap.pdf

There seems to be some misunderstanding of this worm. Its sourcecode
(read: the current OpenSSL exploit) was leaked out and immediately
posted on several security mailing lists such as Bugtraq or Full
Disclosure, and the CERT guys (together with others) published an
incident report about it, but in the wild, there are at least three
versions of a worm-like program exploiting the latest OpenSSL/Apache
vulns.

The sources are commonly called pud.c (pud = Peer-to-Peer UDP
distributed denial of service), apache-worm.c (which is a
revised/modified version of pud.c), also various SSLv2 detection
programs have been sighted with contents of both sources. However, the
source the analysis refers to is pud.c.

For those who are interested, I did some sandbox tests with both source
versions, and both of them contain some really nasty (but nicely coded)
routines. I predict a growth of OpenSSL attacks after the public release
of all the sources within a week (if not within days/hours), and given
the danger level of these programs, all SSL-aware apps and tools should
be updated/recompiled with a known-good version of openssl (0.9.6e+)
quickly.

Boris <bolo@xxxxxxx>
---

< Previous Next >