Worm hits insecure JBoss installations

A worm is currently affecting older versions of the JBoss enterprise application server. JBoss is a popular implementation of the Java EE enterprise platform owned by Red Hat.

The worm attempts to connect to a JMX console on a JBoss server. JMX is a Java-related standard that aids the management of Java EE applications. Due to a bug in the default JMX configuration file in JBoss, only HTTP GET and POST commands to the JMX server are authenticated. The worm takes advantage of this by sending a HTTP HEAD request with a malicious payload that opens a back door on the management server. Then, the worm uploads a few Perl and Windows Batch files that scan for other vulnerable hosts and infect them as well. The worm also attempts to make the infected machine part of a botnet.

To protect themselves against this worm, JBoss users are urged to immediately upgrade to the newest version. A patch that will fix this vulnerability was released in April 2010. Alternatively, a user can delete two lines in the JMX configuration file which will force authentication for all HTTP requests and thwart the worm.

The relevant security patch can be found here. An analysis of the worm can be found here.