After a warning was
issued two weeks ago that a chunk handling flaw on the popular Apache
security experts are now working to decode a worm that has been discovered
exploiting the flaw.
The worm, which is designed to infect computers running FreeBSD 4.5 and
either Apache version 1.3.20 or versions 1.3.22-24, was initially discovered
late last week.
According to Dan Ingevaldson, Team Lead of the X-Force R&D division of
Internet Security Systems, the scope of the worm was limited to attacks on
the one version, despite the exploit having the capability to successfully
attack several operating systems.
The worm, which has yet to be named, works by first sending an ordinary
request to the server. If it gets back a reply saying that the server is a
vulnerable one, it will send the exploit. An attacker can gain remote
control abilities, including Denial of Service (DoS) capability through the
“A lot of the commands that are associated with the worm involve denial of
service attacks,” said Ingevaldson. “It’s pretty fair to assume that the
people that wrote this want to affect a few machines and use them as a
denial of service floating network.”
Domas Mituzas, a system developer for Microlink notes that while the current
worm may only amount to an irritation with the occurrence of scans for
vulnerabilities, the emergence of modifications for attacks on non-freeBSD
systems could turn the situation into an epidemic.
Ingevaldson agreed, noting that FreeBSD users constitute only a minor
population of the apache market. While there has been a lot of speculation
that Linux and Solaris may be vulnerable, no one has proven it publicly yet.
“If Apache was exploitable for Solaris or Linux then you are looking at a
much larger percentage of Apache servers being vulnerable and all it would
take is this worm being adapted to just exploit those different
architectures,” said Ingevaldson.
Adapting the worm may also be easier in this case, as the source code for
the worm has already been published.
According to Mituzas, the simplest fix for now is upgrading Apache, but
noted that there are also various workarounds, which are being widely
discussed this morning on security lists.
While it appears that Upgrading Apache to 1.3.26 or 2.0.39 will prevent a
system from being taken over, there still is a risk of DdOS. If the Apache
worm tries to spread to a non-FreeBSD system, it will likely crash the
session on the server to which the worm had connected, which could cause a
service shut down.
While few people to date have reported the worm, it is believed to be
infecting vulnerable Web servers worldwide.
According to ISS, the worm does not posses the advanced scanning logic of
the Nimda worm class, but it does generate large amounts of traffic when
attempting to locate vulnerable hosts.
Worm Exploits Apache Flaw
After a warning was