Unpatched Servers Exposed to JBoss Worm

Because a large number of businesses that rely on JBoss Application Server haven't applied the patch released by Red Hat in which they took care of a serious vulnerability, they now face the possibility of a worm infection that turns servers into botnets.

Apart from this, the malicious element also attempts to install a remote access tool which gives the attacker full control over a system.

“I explored the contents of the malicious payload left and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET, install and run a remote access tool using dyndns, and two Windows batch scripts, one is for exploring JBOSS Services and a script to discover all UDP-based members running on a certain mcast addressJGroups called 'JGroups Cluster Discovery Script for Win32',” revealed a researcher who analyzed the threat.

Red Hat patched the flaw more than a year ago and they're very well aware of the worm and its destructive capabilities.

"Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user," wrote Red Hat's director of security response in a recent post.

Security researchers believe that outsourcing is the main issue here and not the vulnerability itself.

"Many businesses outsource web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them," said Marcus Carey, security researcher and community manager at Rapid7.

"The use of this new malware associated with JBoss is something we have not seen before. However, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point.”