Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

Gumblar Attack explodes across the web

Discussion in 'Tech, Gadgets & Science Forum' started by Invisible, May 17, 2009.

  1. Invisible

    Invisible Admin Staff Member

    May 17, 2009
    Joined: Feb 11, 2006
    Messages: 9,095
    Likes Received: 130
    Trophy Points: 160
    A complex new malware attack is setting infection records and raising serious alarms in the security community.

    Known unofficially as 'Gumblar' for one of the attack domains, the malware uses prolific attack methods and carries a dangerous payload.

    The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly.

    Researchers say that the attack spreads by compromising web sites and injecting malicious JavaScript code into certain components of the site. A victim runs the risk of the JavaScript attack simply by visiting the infected pages.

    Once a site is compromised, the malware alters access credentials and folder permissions to allow an attacker a 'back door' for entry to the site even when the user has changed passwords. The malicious code is also altered in slight ways, preventing administrators from automatically searching out and deleting the scripts.

    Because the infection is so hard to get rid of, researchers say that Gumblar has enjoyed far more success than previous malware attacks.

    First detected in late March, researchers thought that the attacks had been halted by mid-April when Google delisted the offending sites.

    However, a new variant of the attack arose early this month and has been spreading rapidly. Security firm ScanSafe estimates that Gumblar attacks have jumped some 188 per cent over the past week alone, and Sophos credits Gumblar with up to 42 per cent of all malware infections in the past seven days.

    "The gross infection rate is exceptional, especially this late in the game," said Mary Landesman, senior security researcher at ScanSafe. "Basically, it has been enjoying a free reign."

    The payload is also believed to be highly dangerous. Landesman said that the malware intercepts web traffic such as Google search requests, and redirects it to fraudulent results. This allows the attackers to collect referral fees, and places the user at risk of further infection.

    The malware also contains botnet controllers and is programmed to collect all FTP permissions on the infected systems, allowing Gumblar to infect any sites which the user administrates, further fostering the spread to new domains.

  2. SnEafer

    SnEafer Senior Member

    May 18, 2009
    Joined: Apr 1, 2009
    Messages: 154
    Likes Received: 0
    Trophy Points: 0
    damn, was it not declared dead?
  3. ThinkPad

    ThinkPad JF-Expert Member

    May 18, 2009
    Joined: Apr 11, 2008
    Messages: 1,847
    Likes Received: 10
    Trophy Points: 135
    Kumekucha sasa sisi tunaotumia avast free itakuwaje jamani?.!
  4. SnEafer

    SnEafer Senior Member

    May 18, 2009
    Joined: Apr 1, 2009
    Messages: 154
    Likes Received: 0
    Trophy Points: 0
    Gumblar wa declared dead on april ***i think***

    This is how it works :-

    Gumblar seeks to identify old, unchecked vulnerabilities on a PC that browses a hacked site, installing malware where holes are discovered. Successful attacks install malware that manipulates Google search result pages when viewed by Internet Explorer, presenting victims with links to fraudulent sites.

    "For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded,".

    "The Trojan could then allow cybercriminals control of the victim's computer, leading to myriad security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise - a common malware propagation tactic."

    ScanSafe reports that Gumblar attacks have risen by nearly 190% in the past week, making it one of the fastest growing infections on the web. So far around 2,300 sites are known to have been affected.

    Known as drive-by-download-attacks, these kinds of intrusions typically go after browser plug-ins installed by software and don't require opening or downloading anything.

    ScanSafe said that Gumblar has largely targeted PDF and Flash flaws discovered last year (such as APSA08-01 and APSB08-11), and users are advised to update to the latest versions of Adobe software. ScanSafe reports that Gumblar also takes advantage of old MDAC vulnerabilities, and recommends that users download the latest Microsoft updates.

    For the scripts there ar many new programs that ar designed to look for any suspected / vulnerable scripts that could be used, these programs could check for java scripts, php scripts... ***XSS*** a good example is one that i designed for my self.