Trend Micro has uncovered a new malware, dubbed BKDR_JAVAWAR.JG, which masquerades as a Java Server page while in reality creating a backdoor to gain control of compromised servers. The possible damage is wide-ranging: Once opened, the backdoor can allow nefarious types to browse, upload, edit, delete, download or copy files from the infected system using a web console tab, Trend Micro explained in a blog post. The attacker also can view system information, program versions, installation and important directories.
Even worse, it can also perform remote command line instructions, so that aside from gaining access to sensitive information, an attacker gains control of the infected system through the backdoor and can carry out more malicious commands onto the vulnerable server.
"This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware," Trend Micro explained in a blog post. “Web servers are viable targets by cybercriminals as they store crucial data and can easily be used to infect other systems once unwitting users visit those affected websites.”
The good news is that there are limitations on the scope of the vector. For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server, Trend Micro explained. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat, then attempts to access the Tomcat Web Application Manager.
“Using a password cracking tool, cybercriminals are able to login and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server,” the researchers said. “The backdoor will be automatically added in the accessible Java Server pages.”
As always, users can take fairly simple steps to avoid infection. One is the tried-and-true best practice of regularly implementing security updates issued by software vendors, to prevent exploits affecting software vulnerabilities. Another layer is to refrain from visiting unknown websites while bookmarking trusted ones. “Lastly, users should use strong passwords that are resilient to password cracking tools,” Trend Micro concluded.