The threat of the Linux Slapper worm has been nullified by proactive anti-virus work by specialists at F-Secure. In what is believed to be the first action of its kind by an anti-virus company, F-Secure was able to identify exactly which Web servers were being infected as each infection happened, send a warning to the administrators of the infected systems, and offer a free version of F-Secure Anti-Virus for LinuxTM to remove the worm from their systems.
Across the weekend of Friday 13th, following the discovery of the worm, F-Secure anti-virus laboratory was able to reverse-engineer the peer-to-peer protocol that the worm exploits to infect machines. This enabled F-Secure to access to the Slapper attack network by posing as an infected web server. Through this false server, F-Secure was able to determine the exact number of infected machines and their IP addresses as each server became infected.
In the process of warning the administrators of the infected servers, F-Secure worked in concert with 14 national CERT organizations. This approach was highly appreciated by many companies with emails: "Thanks kindly for your warning; our customer tells us they have upgraded their server. Congratulations on a job well done." Hugh Brown, Dowco Internet.
According to Mikko Hypponen, F-Secure's Manager of AV research: "Slapper was a very real risk, because its peer-to-peer networking capability enabled the author to take over any or all of the infected servers. The risk was not just distributed denial-of-service attacks, but also the backdoor access and control capability it gave over key parts of Internet infrastructure. That's why we took these measures to counter the risks it presented."
According to F-Secure, Slapper is representative of a new breed of worms and viruses as it is as much an attack tool as it is a quickly spreading worm.
F-Secure's Global Slapper Information Centre provides regularly updated information on the worm and numbers of infected servers categorized by the top-level domain. The company says it is imperative that all servers are cleaned and patched to prevent future infections as soon as possible - both to stop the spreading of the worm and to prevent unauthorised access to the infected servers.