A wave of Website compromises is infecting users with malware that redirects Google search results to malicious pages. The malware, which so far is targeting users of Internet Explorer, also steals FTP credentials and installs a backdoor.
A multipronged attack targeting users of Internet Explorer is poisoning
Google search results and redirecting users to compromised pages.
the stealthy malware is hitting computers
via drive-by attacks
leveraging PDF and Adobe Flash exploits. Once installed, the malware attempts
to swipe FTP credentials from the computer and creates a backdoor on the
system. As a final move, it launches a man-in-the-browser attack in
order to tamper with and replace legitimate
Google search results
with links leading to compromised pages.
refers to the Website
compromises as Gumblar attacks
after gumblar.cn, the malware domain
involved in the attacks. Already more than 1,500 Web sites have been attacked,
including Tennis.com, Variety.com and Coldwellbanker.com.
stolen FTP credentials are then used to further compromise any Websites owned
or operated by the victim," Mary Landesman, senior security researcher at
told eWEEK. "As a result, there is exponential growth of these
compromises-as more victims are infected by encountering a compromised site,
the number of compromised sites also increases and thus more visitors are
began delisting the malicious sites appearing in search engine results when the
attacks were first discovered in March. The attackers responded by replacing the
suspect IP address with another IP address, allowing compromised sites to once
again be listed by search engines. Both the injection and the redirection occur
locally on the compromised computer and not on the search engine itself.
cyber-criminals responsible for Gumblar have learned to morph its features
quickly," Landesman wrote in a blog post. "This, coupled with
Gumblar's other dynamic characteristics, is allowing the compromise to
disseminate more rapidly than others we've seen."
far, the malware has been targeting Internet Explorer. As a result of the
hackers' tactics, the gumblar.cn compromises are increasing-up 188 percent from
the week of May 4 and 61 percent from May 13, according to ScanSafe. Overall, Web
300 percent throughout 2008, with another 19 percent
increase in the first quarter of 2009.
are advised to make sure their patches from Adobe Systems are up-to-date.