Web attack that poisons Google results gets worse
A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergence Response Team warned on Monday.
The attack, which has intensified in recent days, can be found on several thousand legitimate Web sites, according to security experts. It targets known flaws in Adobe's software and uses them to install a malicious program on victims' machines, CERT said.
The program then steals FTP login credentials from victims and uses that information to spread further. It also hijacks the victim's browser, replacing Google search results with links chosen by the attackers.
Security experts started tracking the attack in March, when it had infected several hundred Web sites, but in recent weeks the number of infected sites has jumped dramatically. The attack has been called Gumblar because at one point it used the Gumblar.cn domain, though on Monday it had switched to a different one.
Security vendor ScanSafe has counted more than 3,000 infected Web sites, up from around 800 just over a week ago.
That kind of continued growth is unusual, according to Mary Landesman, a senior security researcher with ScanSafe. Attackers have launched many widespread Web attacks over the past few years, but after a few months the total number of infected sites usually drops as Webmasters clean up their servers.
With Gumblar, more and more sites are now being infected. Landesman believes it's because Gumblar's creators have been good at obfuscating their attack code and making it harder to spot on infected sites. And because they've been stealing FTP login credentials, they've been able to use a few new tricks to get their software onto the sites. "They're doing things like changing folder permissions … and leaving behind multiple ways that they can get back into the server," she said.
Still, Web attacks have become so widespread that Gumblar remains a relatively small-scale phenomenon, according to Symantec Security Response Product Manager John Harrison. Last year, Symantec counted 18 million online attacks against its customers. With Gumblar, it has counted 10,000. "It's really just another day with drive-by downloads," he said. "There really are so many of these."
Security experts say that if you're using a fully-patched system with up-to-date security software, you should be protected from these attacks. To date, they've worked by hitting the victim with malicious PDF or Flash files.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
