TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Brief September 22, 2002 Revised: September 23, 2002 Propagation of "Slapper" OpenSSL/Apache Worm Variants Synopsis: ISS X-Force has learned of the existence of variants of the "Slapper" (also known as Slapper.A) worm that X-Force documented in a X-Force Security Alert on September 14, 2002. The variants have several subtle differences from the first Slapper worm, but they are for the most part updated versions of they're predecessor. The variants carry the same attack payload and attempt to exploit a previously disclosed vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. Slapper.A, Slapper.B, and Slapper.C target the Linux operating system running the Apache Web server with OpenSSL. Impact: The impact of the Slapper variants is the same as the original. All versions carry backdoor and distributed denial of service (DDoS) functionality. X-Force noted that it was significant that source code for Slapper.A was distributed within the computer underground immediately after the worm was detected in the wild. Widespread access to the source code has no doubt contributed to the spread of Slapper variants and X-Force predicts that Slapper will be used as a development platform for future variants. Slapper.B has infected more than 15322 hosts by September 23, 2002, 15:00 (UTC-4). Slapper.C has infected over 1500 hosts by September 23, 2002, 15:00 (UTC-4). Affected Versions: OpenSSL versions up to and including 0.9.6d and 0.9.7 beta1 Current versions of the Slapper worm only target the following Linux distributions. The worm may trigger unpredictable results on additional Unix platforms. Other Unix platforms, as well as Apache with OpenSSL for Windows, may also be vulnerable to the OpenSSL vulnerability. Debian Linux, Apache 1.3.26 Red Hat Linux, Apache 1.3.6 Red Hat Linux, Apache 1.3.9 Red Hat Linux, Apache 1.3.12 Red Hat Linux, Apache 1.3.19 Red Hat Linux, Apache 1.3.20 Red Hat Linux, Apache 1.3.23 SuSE Linux, Apache 1.3.12 SuSE Linux, Apache 1.3.17 SuSE Linux, Apache 1.3.19 SuSE Linux, Apache 1.3.20 SuSE Linux, Apache 1.3.23 Mandrake Linux, Apache 1.3.14 Mandrake Linux, Apache 1.3.19 Mandrake Linux, Apache 1.3.20 Mandrake Linux, Apache 1.3.23 Slackware Linux, Apache 1.3.26 Gentoo Linux (Apache version undetermined) For the complete ISS X-Force Security Alert, please visit: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email [EMAIL PROTECTED] for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPY9orjRfJiV99eG9AQFZaAP/dhK7869/EQ1qcTi0/N7vj6dEW9FUaFOz UCrU4RbrgME/MQd/Udl65SZu2lyrwtU8NrITTgVm/+hYYypVFFUd1aDwJMygQEe7 DxJQXg1Eg8oMmRG9BRKy74bNVxPqEr+ybFvKBr4AQztO3fUyB9foHobOtDFaylaG csxB2wDgth8= =fdpW -----END PGP SIGNATURE-----
