By Michael Chait
After a warning was issued two weeks ago that a chunk handling flaw on the popular Apache web server application could leave servers vulnerable, security experts are now working to decode a worm that has been discovered exploiting the flaw.
The worm, which is designed to infect computers running FreeBSD 4.5 and either Apache version 1.3.20 or versions 1.3.22-24, was initially discovered late last week.
According to Dan Ingevaldson, Team Lead of the X-Force R&D division of Internet Security Systems, the scope of the worm was limited to attacks on the one version, despite the exploit having the capability to successfully attack several operating systems.
The worm, which has yet to be named, works by first sending an ordinary request to the server. If it gets back a reply saying that the server is a vulnerable one, it will send the exploit. An attacker can gain remote control abilities, including Denial of Service (DoS) capability through the worm.
"A lot of the commands that are associated with the worm involve denial of service attacks," said Ingevaldson. "It's pretty fair to assume that the people that wrote this want to affect a few machines and use them as a denial of service floating network."
Domas Mituzas, a system developer for Microlink notes that while the current worm may only amount to an irritation with the occurrence of scans for vulnerabilities, the emergence of modifications for attacks on non-freeBSD systems could turn the situation into an epidemic.
Ingevaldson agreed, noting that FreeBSD users constitute only a minor population of the apache market. While there has been a lot of speculation that Linux and Solaris may be vulnerable, no one has proven it publicly yet.
"If Apache was exploitable for Solaris or Linux then you are looking at a much larger percentage of Apache servers being vulnerable and all it would take is this worm being adapted to just exploit those different architectures," said Ingevaldson.
Adapting the worm may also be easier in this case, as the source code for the worm has already been published.
According to Mituzas, the simplest fix for now is upgrading Apache, but noted that there are also various workarounds, which are being widely discussed this morning on security lists.
While it appears that upgrading Apache to 1.3.26 or 2.0.39 will prevent a system from being taken over, there still is a risk of DdOS. If the Apache worm tries to spread to a non-FreeBSD system, it will likely crash the session on the server to which the worm had connected, which could cause a service shut down.
While few people to date have reported the worm, it is believed to be infecting vulnerable Web servers worldwide.
According to ISS, the worm does not posses the advanced scanning logic of the Nimda worm class, but it does generate large amounts of traffic when attempting to locate vulnerable hosts.