Eric Rescorla
especially since one could easily modify the worm to attack all servers or, perhaps, those which only display Product ID :) ... or maybe not.
I hadn't seen a copy of the worm yet, so I guessed from your description that it was using the Server: value to detect who is running downrev versions of OpenSSL. Not so. Upon examination, it looks like the worm uses the server version to decide what section of memory to overwrite (based on the target OS) and server version. So, if people reconfiged their servers to not give you this information, a worm author would either have to have the worm try all possible exploits (not a big deal with only 20 architectures to search) or have some other evidence as to what OS/Apache version people were runnning. Note that for this to be a 100% countermeasure you'd have to reconfigure your server not to advertise Apache at all. Otherwise, it looks to me like the worm assumes that you're running Red Hat/Apache 1.3.23, in which case there's a real chance that the worm will crash your server by using the wrong overwrite offset. -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/