Trend Micro today announced the discovery of a new class of malicious backdoor aimed at infecting HTTP-server implemented to work with Java. The backdoor allows attackers to execute malicious commands directed to the system in which the server is running. Threat is known as BKDR_JAVAWAR.JG, implemented as JSP (Java Server Page), that allows you to initially run malicious code on the Java-server and directly access the Java-servlet containers such as Apache Tomcat.
Once the code compiled and run, a potential attacker can remotely access the server, view the files on it, edit, download or delete a common Web-based console. Something similar earlier appeared on PHP, but PHP-backdoors could not work with anything other than PHP interpreter.
“Besides the fact that the attacker can gain access to sensitive information, it can also infect the server by other malicious code and gain unauthorized access to other data,” – said Trend Micro.
JSP-backdoor can be installed through other malware already present on the server and in some cases by other malicious softwares can install itself and the Java-server that will house the backdoor. According to Trend Micro, the malicious code runs under Windows 2000, Windows Server 2003, Windows XP, Windows Vista and Windows 7.
“Another possible scenario of attack is to find servers with Apache Tomcat, and subsequent attempts to access the Tomcat Application Manager. Using password cracking programs it can log on to the server with a weak administrative password and deploy malicious code through a WAR (Web application archive)”, – says Trend Micro.