Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals, as they store crucial data and can be used to infect other systems once unwitting users visit affected websites.
We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.
For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.
Using a password cracking tool, cybercriminals can access and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:
Error! Hyperlink reference not valid. sub-directory inside Tomcat webapps folder}/{malware name}
