WORM: Slapper (Cinik Version) Update Attempt

This signature detects attempts to access the URL that is hard coded into the Cinik variants of the Slapper Worm (Slapper B and C). These variants use WGET to download updated sources from a Romanian Web site.

Extended Description

A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.

Affected Products

Sonicwall ssl-r6,Hp tcp/ip_services_for_openvms,Openssl_project openssl

References

BugTraq: 5363

CVE: CVE-2002-0656

URL: http://vil.nai.com/vil/content/v_99693.htm http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html http://www.f-secure.com/v-descs/slapper.shtml

Short Name

WORM:SLAPPER:CINIK-SRC

Severity

Critical

Recommended

False

Recommended Action

Drop

WORM: Slapper (Cinik Version) Update Attempt

Extended Description

Affected Products

References

Found a potential security threat?