The worm, which is designed to infect computers running FreeBSD 4.5 and either Apache version 1.3.20 or versions 1.3.22-24, was initially discovered late last week.
According to Dan Ingevaldson, Team Lead of the X-Force R&D division of Internet Security Systems, the scope of the worm was limited to attacks on the one version, despite the exploit having the capability to successfully attack several operating systems.
The worm, which has yet to be named, works by first sending an ordinary request to the server. If it gets back a reply saying that the server is a vulnerable one, it will send the exploit. An attacker can gain remote control abilities, including Denial of Service (DoS) capability through the worm.
Domas Mituzas, a system developer for Microlink notes that while the current worm may only amount to an irritation with the occurrence of scans for vulnerabilities, the emergence of modifications for attacks on non-freeBSD systems could turn the situation into an epidemic.
Ingevaldson agreed, noting that FreeBSD users constitute only a minor population of the apache market. While there has been a lot of speculation that Linux and Solaris may be vulnerable, no one has proven it publicly yet.
"If Apache was exploitable for Solaris or Linux then you are looking at a much larger percentage of Apache servers being vulnerable and all it would take is this worm being adapted to just exploit those different architectures," said Ingevaldson.
Adapting the worm may also be easier in this case, as the source code for the worm has already been published.
According to Mituzas, the simplest fix for now is upgrading Apache, but noted that there are also various workarounds, which are being widely discussed this morning on security lists.
While it appears that Upgrading Apache to 1.3.26 or 2.0.39 will prevent a system from being taken over, there still is a risk of DdOS. If the Apache worm tries to spread to a non-FreeBSD system, it will likely crash the session on the server to which the worm had connected, which could cause a service shut down.
While few people to date have reported the worm, it is believed to be infecting vulnerable Web servers worldwide.
According to ISS, the worm does not posses the advanced scanning logic of the Nimda worm class, but it does generate large amounts of traffic when attempting to locate vulnerable hosts.
This story was first published on InternetNews, an internet.com site.