Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals as they store crucial data and can easily be used to infect other systems once unwitting users visit those affected websites.
We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.
For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.
Using a password cracking tool, cybercriminals are able to login and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:
Error! Hyperlink reference not valid. sub-directory inside Tomcat webapps folder}/{malware name}
Once done, the backdoor can now browse, upload, edit, delete, download or copy files from the infected system using the following Web console tab:
It can also do remote command line instructions using this web console tab:
The attacker can view information like system information, program versions, installation and important directories via the web console tab:
Aside from gaining access to sensitive information, an attacker gains control of the infected system thru the backdoor and can carry out more malicious commands onto the vulnerable server.
There are certain steps that users can do to avoid this threat. First, users should regularly implement security updates issued by software vendors, to prevent exploits affecting software vulnerabilities. Another is to refrain from visiting unknown websites and bookmark trusted ones. Lastly, users should use strong passwords that are resilient to password cracking tools. To know more about the best practices in creating resilient passwords, you may read our FAQ article Will Your Passwords Pass the Test?
Trend Micro Smart Protection Network protects users from this threat by detecting and deleting BKDR_JAVAWAR.JG if found on the system.
Hat tip to Threat response engineer Joan Gan. With analysis from Threat response engineer Jaime Reyes
Leave a reply
