Running Apache? Beware of "Armageddon"...

Monday, March 19, 2012

Kevin McAleavey


This'll be a short one this time. A new malware botnet from Russia ("with love") is on the loose called "Armageddon" which contains a new exploit known as "Apache Killer" and it's pretty serious.

Although the particular exploit appeared back last August, the presence of it in this new botnet in the wild means that if you haven't updated your Apache server to the latest version, you're likely to fall victim to serious DDOS attack.

"Apache Killer" exploits a vulnerability in the Apache Web server by sending a specially crafted "Range" HTTP header to trigger a denial-of-service condition. And the exploit is serious enough that a single computer is capable of bringing Apache to its knees. A botnet full of these can result in "tango down."

IDG reports that the attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges," said Arbor research analyst Jeff Edwards in a blog post on Tuesday. "This can cause a surprisingly heavy load on the target server."

The vulnerability is identified as CVE-2011-3192 and was patched in Apache HTTPD 2.2.20, a week after the exploit was publicly released. Apache 2.2.21 contains an improved fix, according to the IDG article.

Just wanted to give everyone who is not aware of it a "heads up"... and be sure you're running the latest Apache in your house.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Information Security
Denial of Service Apache Patching malware Vulnerabilities DoS Attacks Servers botnet Apache Killer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked