The recent Apache "scalper" worm, targeting FreeBSD systems, represents a
dangerous precedent, even if it is a rather ineffective worm: it linearly
scans randomly selected class Bs, it doesn't employ a very good scanner, and
it can only infect a few types of machines (Apache 1.3.20, .22-24 running on
FreeBSD).
It was roughly 10 days between when Gobbles Security released an exploit for
the recent Apache vulnerability (in response to ISS's statement two days
earlier, announcing the vulnerability and stating that it was only
exploitable on win32 and some 64 bit platforms) that the worm was seen in
the wild. This compared with several months for Code Red and Nimda, between
vulnerability disclosure and appearance of a worm.
We can expect this time to reduce to nearly 0 in the future, as worm authors
prepare worms in advance, or borrow existing worm code, and simply drop in
exploits as they are published. As we have already seen mail worm toolkits,
we can expect similar active scanning worm toolkits. This means that the
window of vulnerability between when an exploit or flaw is published, and
when it is actively exploited, will quickly reduce to zero.
As important, this worm contained a controllable DOS and backdoor module,
something directly useful to a blackhat, as did the Goner mail worm. The
blackhat community has realized that worms are a great way to compromise
machines with little effort and little risk.
My personal, somewhat hazy crystal ball: Over the next year, we will see a
lot of "1 day" worms, where shortly after an exploit is published, a
corresponding worm will be released. These worms will almost invariably
carry DDoS, credit card searchers, or similar payloads optimized for
blackhat goals. We probably will see toolkits!
We will also start to see worms appearing less than 2-3 days after a
detailed vulnerability is reported, as slightly more sophisticated blackhats
create an exploit, drop it into existing frameworks, and release worms.
Be Afraid (tm).
Scalper Worm code and first detection was at
http://www.dammit.lt/apache-worm/
Nicholas C. Weaver ["Nicholas C. Weaver" via risks-digest Volume 22, Issue 15]
22:31
#
G!