Antivirus company Trend Micro today announced the discovery of a new class of malicious software backdoor aimed at infection HTTP-server implemented to work with Java.
Code allows attackers to execute malicious commands directed to the system in which the server is running. Threat, known as BKDR_JAVAWAR.JG, implemented as JSP (Java Server Page), that allows you to initially run malicious code on the Java-server and directly access the Java-servlet containers such as Apache Tomcat.
After the attacking code is started, a potential attacker can remotely access the server, view the files on it, edit, download or delete a common Web-based console. Something similar earlier appeared to PHP, but PHP-backdoors could not work with anything other than PHP interpreter.
“Besides the fact that the attacker can gain access to sensitive information, it can also infect the server by other malicious code and gain unauthorized access to other data,” – said in Trend Micro.
JSP-backdoor can be installed through other malware already present on the server, and in some cases by other malicious software can install itself and Java-server that will house the backdoor. According to Trend Micro, the malicious code runs under Windows 2000, Windows Server 2003, Windows XP, Windows Vista and Windows 7.
“Another possible scenario of attack is to find servers with the Apache Tomcat, and subsequent attempts to access the Tomcat Application Manager. Using password cracking programs can log on to the server with a weak administrative password and deploy malicious code through a WAR (Web application archive)”, – say in Trend Micro.