RSSUnder the radar Apache worm?
I haven't seen a lot of detail about this yet, but fellow CW blogger Sue Walsh reports some additional information about the supposed Linux/Apache based exploit that may be infecting a surprising number of servers currently. Unlike other modern worm attacks, this one (if it in fact exists; so far it's only been determined by inference rather than observation) seems to be relatively well-written, managing to install and co-opt servers without causing extensive malfunctions.
Although the exact exploit infecting the servers does not yet seem to have been adequately described, the mechanism of the resulting infection appears to be clear enough: the infected web server acts on visiting web browsers using the Rbot and Sdbot trojan attacks and attempts to take over the client computer and bring it into a larger botnet… to what nefarious purpose yet unknown.
The larger concern currently is over the exploit involved in compromising the webservers. Large-scale botnets are a sad but simple fact of life these days, whether they are built using spam or web-based attacks. Wide-spread web server compromises, however, particularly against the popular LAMP platform, are quite another level of concern. It remains to be seen whether these were limited, uniquely crafted compromises or whether there is some underlying hole which has yet to be exposed and patched in the architecture.
EDIT: Clarified the unconfirmed status of the worm in the opening paragraph.
