Across the weekend of Friday 13th, following the discovery of the worm, F-Secure anti-virus laboratory was able to reverse-engineer the peer-to-peer protocol that the worm exploits to infect machines. This enabled F-Secure to access to the Slapper attack network by posing as an infected web server. Through this false server, F-Secure was able to determine the exact number of infected machines and their IP addresses as each server became infected.
In the process of warning the administrators of the infected servers, F-Secure worked in concert with 14 national CERT organizations. This approach was highly appreciated by many companies with emails: "Thanks kindly for your warning; our customer tells us they have upgraded their server. Congratulations on a job well done." Hugh Brown, Dowco Internet.
According to Mikko Hypponen, F-Secure's Manager of AV research: "Slapper was a very real risk, because its peer-to-peer networking capability enabled the author to take over any or all of the infected servers. The risk was not just distributed denial-of-service attacks, but also the backdoor access and control capability it gave over key parts of Internet infrastructure. That's why we took these measures to counter the risks it presented."
According to F-Secure, Slapper is representative of a new breed of worms and viruses as it is as much an attack tool as it is a quickly spreading worm.
F-Secure's Global Slapper Information Center provides regularly updated information on the worm and numbers of infected servers categorized by the top-level domain. The company says it is imperative that all servers are cleaned and patched to prevent future infections as soon as possible - both to stop the spreading of the worm and to prevent unauthorised access to the infected servers.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.