An analysis of the Slapper worm

We can prove that the Slapper is a variation of the Apache Scalper worm by comparing the source code. Modifications introduced in the Slapper worm improved the robustness and efficiency of its predecessor's simplistic P2P networking capabilities. Slapper's author also removed certain features from the original-either because they were redundant or to reduce the perception that it was a tool developed to cause direct harm to networks. Among the features the author removed from the Slapper were capabilities to update itself from a remotely specified Web server (perhaps to prevent someone else from replacing this version with a new one), to attack and infect a host specified with a controlling program, and to send spans. Interestingly, the ability to execute distributed denial-of-service attacks on a controlling user's behalf was kept intact. Slapper's author attempted to make communications with a remote controlling program as stealthy and untraceable as possible by removing several commands to query status and obtain feedback from Slapper nodes.