The Tech Herald

JBoss attack proves Microsoft’s Zero-Day findings

by Steve Ragan - Oct 24 2011, 12:30

JBoss attack proves Microsoft’s Zero-Day findings. Credit: Red Hat.

A Worm targeting unpatched or improperly configured JBoss installations adds some proof to Microsoft’s research findings released earlier this month, which point to the fact that unknown vulnerabilities aren’t as big of a threat as they are made out to be.

According to Red Hat, a Worm targeting problems addressed over a year ago is spreading online, which allows an attacker to run arbitrary code on compromised systems. The Worm was broken down by a freelance security researcher, who happened to come across it when his Honeypot server was attacked.

“I explored the contents of the malicious payload left, and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET,” wrote the researcher, who uses the name @guerilla7 on Twitter.

"[The Perl Scripts] install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBOSS Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast  addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat)."

The authentication bypass vulnerabilities in JBoss were patched in April 2010, and they were covered along with other issues by Christian Papathanasiou, during Trustwave’s BlackHat EU talk the same year. It’s worth reading up on the security concerns, if your organization is one of the tens of thousands of enterprises using it in JSP deployments. [BlackHat EU 2010 Slides]

Likewise, guidance on dealing with password configuration protection related issues can be seen here.

“This problem is exacerbated by many organizations deploying systems that they don’t keep up to date. Many businesses outsource Web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them. Many organizations treat these deployments as black boxes, and don’t touch them out of fear that they'll break something,” commented Marcus Carey, security researcher at Rapid7.
 

“There are three exploit modules in Metasploit, an open source security tool, that exploit this vulnerability. There is also a scanner available in Metasploit to allow organizations to scan for it...yet many organizations are not doing so and are seriously dropping the ball. The use of this new malware associated with JBoss is something we have not seen before; however, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point.”

As mentioned, the JBoss attack is a textbook example of what Microsoft reported earlier this month. In their annual Security Intelligence Report, Microsoft said that security flaws where patches are available greatly outnumber zero-day attacks.

According to the research, exploits with a patch available for over a year accounted for 3.2% of compromises, compared to 2.4% for patches available for less than a year. Much-talked-about zero-day attacks were responsible for just 0.12% activity.

“The numbers don't lie; organizations are much more likely to be hit with something they didn't patch instead of a zero-day. This latest news story, as well as the Microsoft report both scream the need to get back to the basics in security. This means better training users and system administrators to prioritize known threats,” added Carey.

Additional Red Hat information on JBoss is can be viewed here and here.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Formula E ‘FanBoost’ Voting Opens For Second Race Of Season

Voting for the FanBoost part of the next FIA Formula E race is now open — where fans can vot...

300 Miles From One Gallon And No, That’s Not A Typo

Imagine you’re in a bar and a guy walks up and asks if you’d be interested in buying a car t...

2015 Nissan Pathfinder Prices and Specs

Nissan has announced pricing and specs for the 2015 Nissan Pathfinder. The SUV, which is on ...

Miami ePrix Circuit Revealed

The FIA Formula E Championship has revealed the layout for the Miami ePrix circuit. Formula ...

Two DeLoreans And A Replica Jaguar C Type On Scottish Classic Car Run

The Kirkintilloch & District Classic Vehicle Club’s annual run to Glencoe in Scotland is...