It spreads by exploiting previously patched vulnerability (CVE-2010-0378) in the application. A remote attacker could bypass security restrictions (without any login and password) execute commands in the JBoss running user context, through crafted GET or POST HTTP requests.
The malicious Payload contains scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET, invokes the JMX console., install and run a remote access tool using dyndns, for exploring JBOSS Services and to discover all UDP-based members running on a certain mcast addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat). An excerpt of the payload is shown below:
The following C&C servers were observed in the campaign connecting over port 8080/TCP
boss.dyndns .biz ,webstats.twilightparadox .com ,weztatso.dyndns-remote .com ,jasuyeifd.dyndns .info ,chillbill.twilightparadox .com ,cents.dyndns-web .com.
Patch the vulnerability CVE-2010-0378
RedHat's instructions for JBOSS JMX console best practices can be found here
Search for the below mentioned payload or similar scripts in the log file and clean the infected pages.
Observe connections to the above mentioned hosts and block them as well at the perimeter.