JBoss Worm Perl.Bossworm Infection

Let me provide you some of the my network analysis and IPS reports, soon after I found that my test JBoss Server has been infected by Perl.Bossworm.

Perl.Bossworm is a malignant worm that exploits the JBoss Enterprise Application Platform Multiple Vulnerabilities (BID 39710) in order to copy itself to unpatched JBOSS servers. When Perl.Bossworm sets up to a vulnerable server, it finds and infects more vulnerable servers. Perl.Bossworm connects to predetermined domains for downloading and installing other malware threats. Remove Perl.Bossworm before it harms your PC system.

How to find out JBoss Worm Infection on your network :-

Perl.Bossworm symptoms on JBoss Server is discussed and very well explained  in JBoss Community. Where as, below are the symptoms on the network side from my lab:

Symptom 1:

  • the connectivity  between Network Switch and Firewall would be very unstable. I had frequent disconnections – request timeout even when I ping the Inside interface of Firewall from the Switch Telnet console. So obviously, you will have either slow Internet connection or no connectivity at all.
Telnet to your Network Switch and ping to Inside LAN interface of Firewall to check the response (PING) status.
Symptom 2:
  • Network Switch utilization has gone up and reached 99% 🙁
Commands to execute and verify on Network Switch:
1. sh proc cpu sorted (Cisco Switch Command)
You could see that my switch utilization has gone very high within 5 seconds statistics
2. show platform cpu packet statistics  (Cisco Switch Command)
Port GI 7/9 on Network Switch is where JBoss Server was connected, finally found to be transmitting huge number of packets in few seconds

Firewall and IPS (Intrusion Prevention System) Worm Infection Report:-

The IPS reports shown below will clarify the doubts of what has really caused to utilize so high CPU of Network Switch and Firwall disconnectivity

  • The next day after worm infection,  it has established nearly 17000 irc-base sessions to Outside Internet.

  • 342 GB of Bandwidth has been utilized on day 2 of infection
  • Finallywe have the IRC IPs to which infected JBoss server was communicating
Solution to remove JBoss Worm: