Symantec recently found a new worm-type backdoor targeting servers. While most of this type are written in PHP and frequently target CMS systems such as WordPress, this one acts as a Java servlet and attacks Apache Tomcat servers. That's not the only difference – for now at least, this malware appears to do nothing but seek to spread to other Tomcat servers. Symantec calls this malware Java.Tomdep.
Java.Tomdep does not create a web page as in drive-by attacks, but, says Symantec researcher Takashi Katsuki, "instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker." It also seeks other Tomcat servers and attempts to login using a few common weak ID/password combinations – such as admin:admin; tomcat:tomcat; and admin:password. There is no indication from Symantec that the malware tries to brute force its way in; so by trying only a few common combinations it is unlikely to raise red flag alerts in the logs.
But if any of the combinations match, then the malware is in. So far, Symantec has discovered that the attacker's command and control servers are located in Taiwan and Luxembourg. "As far as we know," adds Katsuki, "not many computers have fallen victim to this threat yet." He notes that servers don't always have the anti-virus protection more common on personal computers. It is possible, then, that there are more infections than apparent, but simply undetected through a lack of AV defenses.
It may equally be, however, that Symantec has detected the early phase of a server-based botnet build. The fact that the malware is currently dormant and seeks to spread in a rather low-key manner could suggest that the attacker is biding his time to build as large a server-based botnet as possible. "It is thus possible that DDoS attacks from the compromised servers are the attacker’s purpose," surmises Katsuki.
Luis Corrons, technical director at PandaLabs, is less certain. "It is true that these servers will have more power theoretically," he told Infosecurity, "but you can still do much more damage with a desktop botnet, as its size can be way bigger." He also suggests that the low-key method of spreading is less to do with stealth and perhaps more to do with hunting out the more poorly defended servers. "Probably the antivirus protection in Apache won’t be something common compared to desktops. Infections can last for a long period without being detected. Remember they infect using weak passwords, which will will mean that security is not a priority on these servers. That could provide a nice weapon-carrier for targeted attacks."
ESET senior research fellow David Harley takes a similar view. Although the infected servers could be designed for DDoS purposes, "if heavy server resources are expended on extracurricular malicious activity," he told Infosecurity, "only the doziest administrators are likely to miss the fact that there’s a problem." That infected computers don't currently infect local web pages doesn't mean they won’t have their functionality changed or extended in future. "The fact that they don’t do web pages right now doesn’t mean they won’t later on," he warned.