The Tech Herald

JBoss attack proves Microsoft’s Zero-Day findings

by Steve Ragan - Oct 24 2011, 12:30

JBoss attack proves Microsoft’s Zero-Day findings. Credit: Red Hat.

A Worm targeting unpatched or improperly configured JBoss installations adds some proof to Microsoft’s research findings released earlier this month, which point to the fact that unknown vulnerabilities aren’t as big of a threat as they are made out to be.

According to Red Hat, a Worm targeting problems addressed over a year ago is spreading online, which allows an attacker to run arbitrary code on compromised systems. The Worm was broken down by a freelance security researcher, who happened to come across it when his Honeypot server was attacked.

“I explored the contents of the malicious payload left, and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET,” wrote the researcher, who uses the name @guerilla7 on Twitter.

"[The Perl Scripts] install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBOSS Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast  addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat)."

The authentication bypass vulnerabilities in JBoss were patched in April 2010, and they were covered along with other issues by Christian Papathanasiou, during Trustwave’s BlackHat EU talk the same year. It’s worth reading up on the security concerns, if your organization is one of the tens of thousands of enterprises using it in JSP deployments. [BlackHat EU 2010 Slides]

Likewise, guidance on dealing with password configuration protection related issues can be seen here.

“This problem is exacerbated by many organizations deploying systems that they don’t keep up to date. Many businesses outsource Web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them. Many organizations treat these deployments as black boxes, and don’t touch them out of fear that they'll break something,” commented Marcus Carey, security researcher at Rapid7.
 

“There are three exploit modules in Metasploit, an open source security tool, that exploit this vulnerability. There is also a scanner available in Metasploit to allow organizations to scan for it...yet many organizations are not doing so and are seriously dropping the ball. The use of this new malware associated with JBoss is something we have not seen before; however, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point.”

As mentioned, the JBoss attack is a textbook example of what Microsoft reported earlier this month. In their annual Security Intelligence Report, Microsoft said that security flaws where patches are available greatly outnumber zero-day attacks.

According to the research, exploits with a patch available for over a year accounted for 3.2% of compromises, compared to 2.4% for patches available for less than a year. Much-talked-about zero-day attacks were responsible for just 0.12% activity.

“The numbers don't lie; organizations are much more likely to be hit with something they didn't patch instead of a zero-day. This latest news story, as well as the Microsoft report both scream the need to get back to the basics in security. This means better training users and system administrators to prioritize known threats,” added Carey.

Additional Red Hat information on JBoss is can be viewed here and here.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...