|
|
|
Google vs. Gumblar: Search Engine Abused in New Round of Stealthy Attacks
By: Brian Prince
2009-05-14
Article Rating:  / 6
There are 0 user comments on this Network Security & Hardware story.
A wave of Website compromises is infecting users with malware that redirects Google search results to malicious pages. The malware, which so far is targeting users of Internet Explorer, also steals FTP credentials and installs a backdoor.A multipronged attack targeting users of Internet Explorer is poisoning
Google search results and redirecting users to compromised pages.
According
to ScanSafe,
the stealthy malware is hitting computers via drive-by attacks
leveraging PDF and Adobe Flash exploits. Once installed, the malware attempts
to swipe FTP credentials from the computer and creates a backdoor on the
system. As a final move, it launches a man-in-the-browser attack in
order to tamper with and replace legitimate
Google search results with links leading to compromised pages.
ScanSafe
refers to the Website
compromises as Gumblar attacks after gumblar.cn, the malware domain
involved in the attacks. Already more than 1,500 Web sites have been attacked,
including Tennis.com, Variety.com and Coldwellbanker.com.
"The
stolen FTP credentials are then used to further compromise any Websites owned
or operated by the victim," Mary Landesman, senior security researcher at
ScanSafe, told eWEEK. "As a result, there is exponential growth of these
compromisesas more victims are infected by encountering a compromised site,
the number of compromised sites also increases and thus more visitors are
exposed."
Google
began delisting the malicious sites appearing in search engine results when the
attacks were first discovered in March. The attackers responded by replacing the
suspect IP address with another IP address, allowing compromised sites to once
again be listed by search engines. Both the injection and the redirection occur
locally on the compromised computer and not on the search engine itself.
"The
cyber-criminals responsible for Gumblar have learned to morph its features
quickly," Landesman wrote in a blog post. "This, coupled with
Gumblar's other dynamic characteristics, is allowing the compromise to
disseminate more rapidly than others we've seen."
So
far, the malware has been targeting Internet Explorer. As a result of the
hackers' tactics, the gumblar.cn compromises are increasingup 188 percent from
the week of May 4 and 61 percent from May 13, according to ScanSafe. Overall, Web
malware increased 300 percent throughout 2008, with another 19 percent
increase in the first quarter of 2009.
Users
are advised to make sure their patches from Adobe Systems are up-to-date.
|
|
�������x}kw6�DىCvK}dKnkbY�KmO9Z$�!)��
�_zP��tb["�PU(�
�$KW7-gDڮ9)ٟfߧG�,�I}݇@�@e�jNULUsJ�Զn�T7n[#3�P/W�a��W�᳙(,�Q � tjOt0]2h�T�k2"gTek/cߨ�Y�`&`1Z4�lR!�j
�9i=�?۴�$�)qL�Ѻ�c(D~%k[ t�V�N oT|�� p'DFþ�=a��C%�k4ً�ʏᐨqGO|�{/�!�X]�ꄽ4-jc2]�hj:TN`Uƞfn�=�a��j.�9�1rz�m=
Go&lwrD�ƞHC�d �LJQ`:pm3��G^C]õ]��T*-RD�eCwt�S��źS]k�ԏPL0H��6=~0[� QM%$�7
�.lq���`=Ķ|h��:�]�Uh?AWuomzV[u�#ϝ91yq�L%x �TmO |lM�S�~
$��hG�Xu3o3�2�
dþ?bH(I|X:R�No[쫅S;�QmKR)(GU:G��lݹ��жD^v�Cnt�6//?ȃ��N��� [?�0QX�&*Rp2I2�A�1vj�ju{�`i��%?pQAS� TN$0yY>E�4dEU#dVא-ͫ^m^l$w3Yn���%�0omYn^H.)ލ�a(�7f`X@7�? eR2uL8��X@/@ש#qWWtB=::mT7o`��2��&4 .άj��h-@ho�*K���LrU&@Sk~�$M�\sΚb.L2o4x)�}RU/��(AK/�-
�5f>�]T${3BD�ȃ`g@ �BDԐ?CC���0&pt/\�~��_M.OawW9Q^�K\M]ޢG�*�<�Λft;W�~j7&LqJ�j�p�X.B2iKB0.qjۛZt�Ǎ�a�^TT���G&-d`q86ayʔI�?q�L>���NP'}2=�jZIu;Ni(|���I�}Ѧ�>R��[���iH'0��+���GݺzLӰ�=��Wԇ5ӎD�5�7
�l"&q}3 z`y��a2y&C?�FtE@�>X^0 j�pS�*~3��=w=
|
�wA�)�lmAl}``1 �5g�%:��r%Ead�n.G))(I.B$(ZȻ�B�!A�lv
��[$p Xt�l+��+Ia
.�<���B�I!ڹLX��M)O)�X�ScX`D��,z?v'�m/n$)N`�V|�\v��Lg˺z+fYF^ӛAx ~/
B[+�Y�&���&ےx��A-ʘ�ŗZZG"��JM�P>�V�"�Cɣ($�me6L�?GI�n<�ϞZC}nvP
jrAc#S�ad$V)jV'fڹgK �l� �J;4
Ho�`�:7bbˡ\2
aN3w
Asmr&ݩ?�n�l2n�g�,3�p1hBJeH�w:v�
c7,���h�ZQ�gm1JL=PF˸�Fqm@XĞͧ�8]%W=L-Y\�.V°#]եޥ5�f$@0o�"=qN4S�
в`ouqAʫEu�f-0א~3�JAUcϓ�as@M$ �g�2,rmٔA�u;s��ԧSjEҶY�4p=r ɯ¹5j1|��j 0&B$Cכ0raؼU_82#Xh�;�pYb~&��>Bkd&B��[OO;$!WTn�Lb
֚΄��Ou�#_g��>р�ap:�pHE&A|Zkh��
y�| *��OJ�1�-[
(h
[zp�E��abIt?I��M!rB�3�]]=1��挮~�'t!+B�L�ɡZ.qW`�qG�yW�G�"MO�H�_�㬯8�ǻ^~b-Z7/Q~^�};݁�\rϙ���|b�+�'�3E�<&��{HY�e�}�t%_8Ib+�ģ�Y��䊢#Ïn
vO�� g�: �C\4�<�h�c�(z`0d�mmP���sѹm?Q]UaRP#6�AQh܆8y>.ԯ)�(S��
��oT5}�U��*JAe߯YQ�PYمH��B:��d@�t=k�;J8Kj
f1��5<ō'&Z3c��k+4C
�㔁�z3M�dhH5�_ήϖͯ6>̳i�Lj{mx[�|8ݙ'k{J�}6Up
v A+;}#52镍0:L�M}G�QW5@�dLfQJg1µ� eg�z�[�لY]�}6b�5zAFp%@)gS��DV[IUsԵбtN}|o:sg8X$�]3�a Qna�i0'�e�R
z`N�Fr�
3�e�E#�uya3�9aؠGsHoR11 Z�H$�}'�Vӿ}�
Pk��RTJ�X\� V_A�ұg.3_�wj�<]hL4>J>jG�2cFԡ�)Ь6ڴ���#�C/Z2<�=p�8x�*YʊnZv` d|X*��=O
)(�tb�y3EU
}�9ӑ�?~�n]�<�d�0�sv٬߄6b��`
xѤ��"ԣcxH15^��6Q"B�@I˸tn��,�;�>XKr!�}$��=Cɢd�'kѨ�ٞ{+^�'WX*��5�̄o$Cd
x��AQN���5 �+JG4ZTrZgp{"�
Bt�X�1t��}E/R)Q\(뉞�hYyֹsc�Ԭ?)���_(/0{o)Aߐ>O1Ok4��~ P=8Y,ph%縵vRuK:�d�Nlp
j_`eSrg��~4/�_�����"Ty�zwLƖiR'DZ3pu*�I�hwl)~ڲOCT䵤�
g[YUHN~,��stH1��|<ÃFs? "L-rL.Q0}~R=:*Kl�3q`�r_�|oIM2G�z1}ɈӍ1A�0n��p;G�Q��v0xl&�4�-yWy#+x�~4qYx21u8nia[nǡ8����0(^d$4P$yUZ̶�/WU�$]ue%�~�VxF0�&ilځ;�-�3(��m3{F=_3{KwKx?*~�#{}&
�~2]9PI=�)~=Ң(�r_:ZDp5Q {qI).|s�?//J`\T�y^v} l$>?Gko[#D:*pG#MuO�x��
��'KM�;w9wB#A�VާA=�$b
�Qs`e'�cHS17ƸWr�Q\�*Gj1E��ւgk[1Iw=9�mh
);H�N�W)oa"GL|]]�A3%(,z�*ue"x/clLJl4>r�|:�d(,N�F�SH娐�g��0�sҁ�@8=Mbno䇩�"k$��:Kq2(�s[&
M1,��3ȉ{6"|p4aYDҟt8� ؐ�`!߃zLX��=�܂�]FJ>&�[S7��(4cIw})p�xI�n>xnkNW�R}ISJJ$L^3LD�7@��o :=�8 a��[XHe�>h�x2s#WHgS\�˹W��*Zz<[##�.ڱ19>k�NRԆyēng6h`'! _mQ*��
J1Y�x�l��'1xodx ũ/CH#LYʡ�s(� с
:q�!f�ˈL�)�-L!iGr1Tr� {� |fYc�:IA[,؝�_ٝ׆/k1��3LՆ�<=G�Y udPE5T�xaf+G�P��=�P{-&|92��ڎ/F+X\q�t_jϥIu�������?HU�w�[3�Q�
G[&kӃwZ`0ǀ^G�ʷ�F5$z-M0�W�o#Mhȝdx��Ѧ`m�/2�#yy^��bެfTb ENKf+ ё:Hw}�V(> ]^y5^5W.b4J�_$TLm س�U{&-_m+>T
Tj9Q�=��f�2 A;u�'R`aCK-YŜM��l)RSgi3ݑЉfY FX/k.!L�,|1@?}�z:��EH�GB��2om^ZIz�jO~uK~{1T%f�oD�2(:&�IX�\�VGÜ<��N�F�I�G�_�U��ʖ|Symé.u0@JXA/6ѥ�[5�}ݱz�ҺU\0,1?�L��B@'�S/Ή�E̷ö]wǬBՓx��;#�n�/u} X�~$~�YH�؈t�L�چ
�
ҍ<~
ő:٦���_e�ۜ7`쳱m�l|ڶ�p4U�dN�!0
u�S>90;�֏���&.")�uV��8o�^4�]HQۭZ�Bx�<<�u".�ItFtEnSLڟXu
c.ÀH4,?[plf#r Sw
CxK�\"ś"F04�U\+73n`z`�Zy$f�j!�V�f5�N`Mym&{�m_rO�6Zl�j[V���Z(H5~ӧS�@VE[6b}K]gd'�c��փf�\�@m
@ɼ=�Ь%5:&GJD:`�ɿW`?℉fne�?q�%3H��N4�p�zQX�ȓ� z`�]g�O}:�w
�x-槯\"Ҷ�.�O[ݷ8(��̫
U�d=I^F�âċFP�ђ,#;Ћ痨��d���!D70۴%�oJ3��*�
`�]�#G?Ԣգ�@�(�
x�}�-�6Ҫ=O/� 3e>fMCMw#^H�#�"l�?G�*�O2xXl
o-Kq�ì�f�mo0q_�n
�y+1q#��Ga�),*(<
�5O�Sӧ¤�Xt'O|_C@�-ĝ(p��+�O�S{[�q'�H|Y��/<
X6�RQI13ʉmOѽ,x�BY�qma�B4o|�-���@,9&��>d)S�w
'��A`�O={=�D�nt�Q˜�vFr@Ym�Ӷ|���4>(C^PB^]u��'M=1@7G;s�P�VV�kM3+� ,�F�
"J��Y�"�'"�KIE�/]^|cnl?��Q�X2!/ǂ6�
ͤ<87%|Oa8FS�Y�h9M"!cbieH]-OQ/��]ZX,:~�eL<^^AFc+S}*5fL0P;qU6'�a<::Bߔ@@VH4i�3�rCQ58uM�llN#Ak���b�hc;Xy��찱�Vy
[J6vn&X%m'h�zBRKo^3C'�ܬXMi_gGہ�5�ڢSR.DX:ewH�� O�drn-&�~iX��K>H�'*ty*11D)�B;�9�5�}B�NRTKx�z`N�FMO�ZєV9T,�
fm
�Cn4rƴ��Xd�Xtಈ֞uv0ـy��*�MݳnSL݃QW�K&�{ք2JaG�N$(�b��Qz=
�ty���|v|P�S�z1�W-~ᮤq��jW�ƶ2�4�I �a�]ڋjL_�"|v2yN&3'T&H�F;6vCWѵAXL{3�eJD�u�,u{
cD�+۫uG)�g0h�EZ`3+n{lZNȶ8+il�wAQg)q8��@Bwt��c2h聎�DҝRq��߶�~m�zx��st�c6ڊj
CTTPN).&�8\=�-%|͈s�%��-.>/�OcB0�#7)W'���n��4�՟.'���QN�ןq+PU'?ɺexx7cJ"��rSj20�ӏbS:�&���I��.��
A|j#4~ڌ ��Pmļ@BS֜}o<�{o#b2z��\�ĥ)׀��"ڐUBa=X *>Io��R3GԍeD���L��_�ּk6F~.U{7]
dyܝ ����\oK��M}N)
-;5�g4�9�O��O0�s
xwt'l9e1v1$Uֽ?g�7,>�-l
� \Z��s4a{ڼ檫�)�+�>gDwdU�wYUuG^ߧx%�͒G2Vq樅&JZ!
�`x�jNrd�ez?��X~@|�LBz،\{cݹ嘫կ/
ft?vnZV犜6/;wx� ZѷpKtԝsi|9\9o]5oZW\`&hT楾��,g:KFY�n2;eFq('W<ǵ,��2�^ûLKvE Ccqq�^ �Iz�(%lGyї�5�1ԯ&Ll+�s��v�mv�?�2z-f_@EFߠo�m(og^e�U\]e_��O'Ct@t25u�\��dO�f��z��c}g�u�Ym�~@�A]V9]�Aw��e_ry��rVƅ)��ӌbv/�苬 OY射:(?�}VR<_`]dk �t.�rg_�u3��̭L_ZgFr]!,.5P�UZk�/Y�ݲ�q �&�=�P7].�wqSݮ%x?5`
6nsOkr>u["[~|^>6of!3^8��6սD<�gu~�o2p�@��?o��9X�-.#R�箋Q׳�+xa;Ϩ�^kc¥��6�%dή�1v�fuƿ.Ӊ p&~Cgi �.�3ΕD�M�hlգ{�h9đ�^u�O�?g�)b>�7֧TB΄[4�п2�$�*˗ X֭2�3�/z�ch$d��V$1x_%05�%�Yq�1ld@(we6Lm (~%.,wf3;�.�S@8>�cc6Hm�\wrlC����nܙ%�O_/tAW�漣b\='ݹ�fs(9>Lxk�[l,��)�Qh/I'�kP��~)�0uﱟ��cO�It�>x*8�"�"H�"s�{B�|%i�ZP%�n3!�%؉GמЄ2
a��9ao5RFXk;MA5c�t:hݺku�o�n(}#K��4#+>0cX
=���O����tZwkdY9Hr&z�U h$7=j"6��:
gKb�D��szn%()%�y+L9(م��xm^*(u�ljKw0ㅰxo!�Z^y�M6l#Yұ�ߜP
TDO��"Vx9m�$K�i[zQڗ�E@1agG�[f*i/\mRL?�PɕX�)u�n'|oWܢ?��T|=
5'\6LDR��}N�0~NZ]�v0@9DEP!/;vm�F)f��'NFp)N�<}z[lQ%�76x��b�ЄΧ^p穎T�U|��J��A1^<3&;z~�o�C2z
l|$_Oxƪ~Saxr=&#��fsh���]-I�S`@W]Q'z�aJt�{%�!Ү\)V�bʥ.S�ܟ=Bbx����҅fHP�`y%K@4�Ի�
q�얢U���nDl`a�Q1n,ـ�&@���6�v� E=b�농E]�hT_�.**c�
��/ߵc3qݼ�®"�vyX�]�A\XIڙF�X�<ٰ���s+��o=Љe�;5ano,eH&}+qd.
"�$8jVI�{{a0��&iE-㨤t`C
v�_̉~ph;?�҈Y>A� wVǰ�YF!&ۅ7�O80�Ux|�-h\�}�ݘ_e9LgѸ93E~2ztTb.^�6ٍ+[Ȁ7H>Y�D,5R;tP�9ϓ a�0�+�=�:`-�3q7C�Ǯ
C)&DW�K�5�4Ƙb~bf�Y�W`0-�Z�.<�̳�(`�,��Lv"V�KjMΡmfpR!*a�cT
1L(�_�,R�.�WWv!G�Zv�|��E>byx ŧ$�AS?�|:T+w\`�_54hI:F3
AHcFS"^ֳ/�
.A|>Ðy6�Wn_!����eVU�A$摝7yM1�uc*H9�vS��F'e9PU>\J�BS+$Ĥ�{mh6
|
Network Security & Hardware 
