Apache worm picks up first scalp
/v3-uk/news/1953320/apache-worm-picks-scalp
01 Jul 2002, James Middleton , V3
The first exploit to be based on the Apache vulnerability discovered two weeks ago has appeared in the wild.
Over this weekend, security experts were hurrying to analyse a worm that appeared to be hijacking Apache systems.
On Friday, honeypot networks set up by security experts picked up a worm actively spreading in the wild.
It appears to scan for Apache servers that have not yet been patched for the chunking vulnerability discovered two weeks ago.
Miguel Mendez, an OpenBSD coder who posted an analysis of the as yet unnamed Apache worm to Bugtraq, said: "Wow, an interesting puppy. It looks like it was either coded by someone with little experience or in a hurry."
The worm appears to be traversing the internet and trying to set up an army of zombie machines that could possibly be used for a distributed denial-of-service attack.
Although the worm is known to attack the OpenBSD operating system, it is thought that the release of proof-of-concept exploit code by the Gobbles security team recently may have helped the worm's author to code attacks for other operating systems.
Other flavours of BSD as well as Linux are reported to be affected as a result.
But even if the worm has not been coded to attack multiple variants of operating systems, there are reports of it having an adverse effect on other systems without actually hijacking the box.
In a number of cases, Apache administrators have reported that, while their machines have not been infiltrated, a failed exploit has resulted in resources being consumed until it locks up, effectively causing a denial of service anyway.
Although there are thought to be around 50 million Apache web servers on the web, those which have been upgraded to either 1.3.26 or 2.0.39 should be secure.
However, there is some concern that users may not yet have upgraded. Statistics from the day on which the chunking vulnerability was announced show that less than 50,000 users upgraded their servers.
Now users have a very real reason to update their patches.