According to Fisher, the worm has been circulating for a couple of days at least, and it's not clear right now how many servers have been compromised or what the origins of it are.
“It apparently exploits an old vulnerability in the JBoss Application Server, which was patched in April 2010, in order to compromise new machines. Once that is accomplished, the worm begins a post-infection routine that includes a number of different steps”, he wrote in his latest security posting.
Interestingly, Fisher said that one user who found a worm's payload on a honeypot machine he controls posted a message to Pastebin noting that the payload includes a variety of Perl scripts – one of which immediately connects a newly infected machine to an IRC server, effectively adding it to a botnet of other compromised JBoss servers.
The payload, he noted, also installs a remote access trojan for future use by the attacker.
Officials at Red Hat – which provides paid support for the open-source JBoss software – claim that the vulnerability the worm exploits has been patched for more than 18 months and users running outdated versions of the JBoss Application Server should patch their installations immediately.
"Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it. This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user", said Mark Cox, Red Hat's director of security response.
"The worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products. An update to JBoss enterprise products was produced in April 2010 to correct the flaw, CVE-2010-0738."
Commenting on this apparently resurrected security issue, Marcus Carey, security researcher and community manager with Rapid7, said that the problem is made worse with many organizations deploying systems that they don’t keep up to date.
“Many businesses outsource web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them. Many organizations treat these deployments as black boxes, and don’t touch them out of fear that they'll break something”, he explained.
According to Carey, there are three exploit modules in Metasploit, an open source security tool, that exploit this vulnerability.
“There is also a scanner available in Metasploit to allow organizations to scan for it. So basically you can detect and patch this vulnerability for free and yet many organizations are not doing so and are seriously dropping the ball. The use of this new malware associated with JBoss is something we have not seen before; however, the actual vulnerability it is exploiting should have been snuffed out years ago”, he said.
“This is far more a business failure than a software security failure at this point”, he added.