A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergency Readiness Team warned on Monday.
The attack, which has intensified in recent days, can be found on several thousand legitimate Web sites, according to security experts. It targets known flaws in Adobe's software and uses them to install a malicious program on victims' machines, CERT said.
The program then steals FTP login credentials from victims and uses that information to spread further. It also hijacks the victim's browser, replacing Google search results with links chosen by the attackers.
Security experts started tracking the attack in March, when it had infected several hundred Web sites, but in recent weeks the number of infected sites has jumped dramatically. The attack has been called Gumblar because at one point it used the Gumblar.cn domain, though on Monday it had switched to a different one.
Security vendor ScanSafe has counted more than 3,000 infected Web sites, up from around 800 just over a week ago.
That kind of continued growth is unusual, according to Mary Landesman, a senior security researcher with ScanSafe. Attackers have launched many widespread Web attacks over the past few years, but after a few months the total number of infected sites usually drops as Webmasters clean up their servers.
With Gumblar, more and more sites are now being infected. Landesman believes it's because Gumblar's creators have been good at obfuscating their attack code and making it harder to spot on infected sites. And because they've been stealing FTP login credentials, they've been able to use a few new tricks to get their software onto the sites. "They're doing things like changing folder permissions … and leaving behind multiple ways that they can get back into the server," she said.
Still, Web attacks have become so widespread that Gumblar remains a relatively small-scale phenomenon, according to Symantec Security Response Product Manager John Harrison. Last year, Symantec counted 18 million online attacks against its customers. With Gumblar, it has counted 10,000. "It's really just another day with drive-by downloads," he said. "There really are so many of these."
Security experts say that if you're using a fully-patched system with up-to-date security software, you should be protected from these attacks. To date, they've worked by hitting the victim with malicious PDF or Flash files.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (9)
RE: Web attack that poisons Google results gets worseBy danschaefer on May 19, 2009, 2:22 pmCan you identify the vulnerability in Adobe that created this security breach? Adobe just fixed a security vulnerability. They have more information at http://www.adobe.com/support/security/bulletins/apsb09-06.html....
Reply | Read entire comment
Web attack that poisons Google results gets worseBy Anon on May 19, 2009, 3:29 pm The weblogiccluster error is also visible in the Sponsored Links window.
Reply | Read entire comment
HELLOBy Anonymous on May 19, 2009, 6:19 pmJUST WANTED TO SEE IF THIS WORKS. I DON'T USE COMPUTERS SO I DON'T REALLY KNOW WHY IM ON THIS SITE. BACK TO BED FOR ME
Reply | Read entire comment
Seeing WebLogicCluster error in this postBy Anonymous on May 19, 2009, 7:21 pmAbout the 3rd paragraph I get (Firefox on linux): "... Adobe's software and uses them to install a malicious program on victims' machines, CERT said. Failure of...
Reply | Read entire comment
Irony...By Anon on May 19, 2009, 7:41 pmPerhaps the error messages embedded within this news posting are indicative of some sort of hosted malware? "Failure of server APACHE bridge: Port number in...
Reply | Read entire comment
AnotherBy Anonymous on May 19, 2009, 8:04 pmMr McMillan, Thanks for assuming everyone uses the same version of Windows so you don't need to list the target in your article. Oh, that's right, if you're not...
Reply | Read entire comment
View all comments