The worm takes advantage of a known security hole in Apache Web servers by scanning the Internet and installing a backdoor application when it finds a vulnerable Web server. This backdoor allows the attacker to remotely control the system and use it in attacks on other Web servers, according to anti-virus software vendor F-Secure.
The open source Apache server is the most commonly used Web server software, running on 63% of Web sites, according to a survey by UK analyst Netcraft.
However, the reach of the worm, dubbed Scalper by F-Secure, is limited. "It only hits a small fragment of the Apache users," said Mikko Hyppönen, research manager at F-Secure, because it only affects Apache on the open source FreeBSD operating system.
Mike Prettejohn, director at Netcraft, agreed but said, "FreeBSD is the third most popular platform for Apache after Linux and Solaris."
Hyppönen does not see the worm as a big danger. "The current version is low risk. It is spreading, we can see hits generated by the worm, but it is not widespread. It could infect a measurable portion of the FreeBSD Web server, but that has not happened yet," he said.
Variants of the worm attacking Apache on other platforms may soon surface, Hyppönen warned. "It would be easy to change this worm to work on Linux or any other system. But then, on the positive side, I would think that Apache Web server administrators are diligent in patching, so the spread would not be as big as Code Red, which infected about 200,000 Web sites in two days about a year ago," Hyppönen said.
Apache administrators have responded swiftly, with well over six million Web sites running on Apache already upgraded to Apache 1.3.26, a version of the software not vulnerable to this attack. However, about 14 million potentially vulnerable sites using Apache remain, Netcraft said in its monthly commentary released on Monday (1 July).
The flaw in the Apache Web server that the worm exploits affects all versions of Apache 1.2, versions of Apache 1.3 up to 1.3.24 and versions of Apache 2 up to 2.0.36, according to a statement from the Apache Software Foundation released on 20 June. The new Apache 1.3.26 and Apache 2.0.39 fix the issue, the Foundation said.