Researchers have discovered a strain of malware designed to target servers running Apache Tomcatthat can allow an attacker to gain remote access and control, much in the same way a worm or Trojan can allow attackers to take control of a single computer.
Dubbed Java.Tomdep, the worm acts as a Java Servlet as opposed to being written in PHP, and can provide the attacker with the means to seek out and infect other servers running Tomcat while visitors to the websites remain uninfected.
“The Java Servlet is executed on Apache Tomcat, but it does not create a Web page and instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker. End users who visit Web pages from the compromised Tomcat server are not affected by this threat,” wrote researcher Takashi Katsuki.
“Aside from standard commands such as download, upload, creating new process, SOCKS proxy, UDP flooding, and updating itself; compromised computers can also scan for other Tomcat servers and send the malware to them. It is thus possible that DDoS attacks from the compromised servers are the attacker’s purpose,” Katsuki said.
Infections have only been detected in a handful of nations so far, including the U.S., Italy, China, Brazil and Japan, and the command and control (C&C) servers have been traced to locations in both aiwan and Luxembourg.
“As far as we know, not many computers have fallen victim to this threat yet. However, in some cases, server computers don’t have antivirus products installed on them in the same way that personal computers would. Hopefully this isn’t a reason for the low rate of detection,” Katsuki said.
Categories: Top Security Stories