时间:公元13-12-01 栏目:安全, 新闻, 资讯 作者:SPRITEKING 吐槽:0 被黑客围观: 2,228 次

最近赛门铁克的安全研究员发现了一款新的针对Tomcat服务器的跨平台蠕虫。这款恶意软件被命名为”Java.Tomdep”,跟其他服务器后门不一样的是,不是常见的php写的,而是用java写的蠕虫,作为一个java servlet运行在tomcat上。
因为java是跨平台的,所以它可以感染Linux,Mac OS X,Solaris和各种版本的windows。一旦机器被感染之后,会继续扫描其他安装了Tomcat的机器,然后尝试暴力破解tomcat密码,感染下一台机器。




这款恶意软件功能强大。作为一个IRC Bot可以接受攻击者的命令,上传下载文件,创建进程,更新自己,做SOCKS代理,UDP 洪水攻击等等。他们的C&C服务器位于台湾和卢森堡。









Symantec has discovered a new back door worm-type threat which targets servers running Apache Tomcat. This threat is a little different from the ones we usually encounter every day.

Back door type Trojan horses and worms let attackers execute various commands on compromised computers and essentially enable the attacker to control a computer remotely. This means that important information can be stolen from the user and their computer could be used to attack other victims.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7. We often see back door type Trojans that are written in PHP, such asPHP.Backdoor.Trojan. This time around though, Symantec has found a back door worm that acts as a Java Servlet. We have named it Java.Tomdep.
Tomdep 1.png

Figure 1. How Java.Tomdep spreads
The Java Servlet is executed on Apache Tomcat, but it does not create a Web page and instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker. End users who visit Web pages from the compromised Tomcat server are not affected by this threat. Aside from standard commands such as download, upload, creating new process, SOCKS proxy, UDP flooding, and updating itself; compromised computers can also scan for other Tomcat servers and send the malware to them. It is thus possible that DDoS attacks from the compromised servers are the attacker’s purpose.

When it finds another Tomcat server, it first attempts to log in with the following pairs of weak usernames and passwords:
Tomdep 2 edit.png

Figure 2. Usernames and passwords used in attempts to log in by Java.Tomdep
Then it deploys itself to the found Tomcat server:
Tomdep 3 edit.png

Figure 3. Java.Tomdep deploys to the found Tomcat server
We know that the attacker’s command and control (C&C) servers are located in Taiwan and Luxembourg. We have infection reports from customers in a limited number of countries.
Tomdep 4 edit.png

Figure 4. Infection report locations
As far as we know, not many computers have fallen victim to this threat yet. However, in some cases, server computers don’t have antivirus products installed on them in the same way that personal computers would. Hopefully this isn’t a reason for the low rate of detection.

In order to avoid this threat, ensure that your server and AV products are fully patched and updated. We recommend that you use strong passwords and do not open the management port to public access.

Symantec products detect this threat as Java.Tomdep and Java.Tomdep!gen1.

声明: 本文由( SPRITEKING )原创编译,转载请保留链接: 一款针对Tomcat服务器的Java蠕虫在全球蔓延