All Your Tomcat Are Belong to Bad Guys?

Symantec has discovered a new back door worm-type threat which targets servers running Apache Tomcat. This threat is a little different from the ones we usually encounter every day.

Back door type Trojan horses and worms let attackers execute various commands on compromised computers and essentially enable the attacker to control a computer remotely. This means that important information can be stolen from the user and their computer could be used to attack other victims.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7. We often see back door type Trojans that are written in PHP, such as PHP.Backdoor.Trojan. This time around though, Symantec has found a back door worm that acts as a Java Servlet. We have named it Java.Tomdep.
 

Tomdep 1.png

Figure 1. How Java.Tomdep spreads
 

The Java Servlet is executed on Apache Tomcat, but it does not create a Web page and instead behaves as an IRC bot. It connects to an IRC server and performs commands sent from the attacker. End users who visit Web pages from the compromised Tomcat server are not affected by this threat. Aside from standard commands such as download, upload, creating new process, SOCKS proxy, UDP flooding, and updating itself; compromised computers can also scan for other Tomcat servers and send the malware to them. It is thus possible that DDoS attacks from the compromised servers are the attacker’s purpose.

When it finds another Tomcat server, it first attempts to log in with the following pairs of weak usernames and passwords:
 

Tomdep 2 edit.png

Figure 2. Usernames and passwords used in attempts to log in by Java.Tomdep
 

Then it deploys itself to the found Tomcat server:
 

Tomdep 3 edit.png

Figure 3. Java.Tomdep deploys to the found Tomcat server
 

We know that the attacker’s command and control (C&C) servers are located in Taiwan and Luxembourg. We have infection reports from customers in a limited number of countries.
 

Tomdep 4 edit.png

Figure 4. Infection report locations
 

As far as we know, not many computers have fallen victim to this threat yet. However, in some cases, server computers don’t have antivirus products installed on them in the same way that personal computers would. Hopefully this isn’t a reason for the low rate of detection.

In order to avoid this threat, ensure that your server and AV products are fully patched and updated. We recommend that you use strong passwords and do not open the management port to public access.

Symantec products detect this threat as Java.Tomdep and Java.Tomdep!gen1.