Tomcat worm puts servers under attackers remote control
Java.Tomdep reportedly turning victims into IRC-instructed zombies, but has yet to reveal its sinister agenda.
Researchers from Symantec have identified a worm that places infected Tomcat servers under the complete control of third-party attackers.
First discovered by the Norton Antivirus company on October 30 and subsequently christened Java.Tomdep, the worm affects Tomcat on practically every operating system (aside from Windows 8). It acts as a Java servlet, inserting a file called ApacheLoader.war into the Tomcat application folder.
According to researcher Takashi Katsuki, Tomdep poses no threat to end users accessing a Tomcat-hosted website. Instead, it allows the worm’s controllers total control over the infected server, with commands being sent over an IRC connection.
Katsuki speculates that the worm’s creators may be attempting to build an army of zombie servers for use in DDoS attacks. However, this could change since the worm can be updated remotely.
Tomdep spreads by searching random IP addresses for other instances of Tomcat, then entering weak username/password combinations such as “root/root”, “tomcat/admin” and “admin/password”.
If successful, it will replicate itself, connect to the remote IRC servers and then seek out further targets. These remote “command and control” servers have been tracked down to Taiwan and Luxembourg – though the attackers could be based anywhere.
Symantec doesn’t believe Tomdep has become widespread yet – its antivirus products have detected fewer than 50 cases so far. To avoid infection, Katsuki recommends ensuring servers are fully patched, using strong passwords and not opening the management port to public access. And for those who believe their systems may be infected, the antivirus company’s recommended course of action is – of course – to do a full system scan using its software.
Photo by mricon.