Slashdot Mirror
Drive-By Download Poisons Google Search Results
snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."
About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.
Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.
The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.
My work here is dung.
... Flashblock basically remove this exploits ability to infect your PC?
There is a war going on for your mind.
I'm sure that MacAffee and Norton will have a anti-virus signature for this in no time.
According to Sophos, this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.
On OS X I don't even install the reader anymore.
But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox
Tools > Options > Applications
Set all Adobe to always ask.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Server side of things could use work too.
Uninstall the FTP server. Configure to login using public key authentication and disable passwords.
I hate it when PDFs freeze Acrobat Reader.
As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?
For my mom, I ended up using http://www.scroogle.com/ to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.
<offtopic> When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now. </offtopic>
With all the better alternatives out there
Yeah, it's not like Adobe's software is the standard in some industries. /sarcasm
Don't use FTP anyways for anything sensitive like uploading to your website. I used to do that, then got infected by a virus of sorts. What it did was sniff the (non-encrypted) FTP packets to steal credentials, then log in and replace all the index files on the server with its malware infected version.
That got me to of my websites to be infected and being blocked by Firefox/Google for being reported as attack sites. Now I only use SFTP/SCP.
You just got troll'd!
I have SSH enabled on my server, nothing has gotten by according to my log files.
"Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind." -Dr. Seuss
Two of the most secure technologies on the interwebs...
This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.
Correct link is here.
Consider an organization where every desktop has the full version of adobe acrobat and flash player. Both are pushed out with GPO's. Thank god I can push the updates.
I got infected with this piece of shit (or some other very similar piece of shit) because malicious code on a website somehow forced Adobe Reader to open a PDF, although Foxit had been my default PDF reader for months (in conjunction with the PDF Download add-on, which was somehow circumvented as well).
Sure, I should have been suspicious instead of just annoyed at AR opening out of the blue. And sure, I should have uninstalled AR when I started using Foxit, instead of just letting it sit on my computer. This is just a warning to other people that are as stupid as me.
(Reposted with Correct Link)
As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?
For my mom, I ended up using http://www.scroogle.org/ to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.
When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now.
Kudos to the author of this virus. The mindset that is behind such a hack is quite insane. I mean nobody would expect for a google search link to have been hijacked. Before you know it they'll have a way for your facebook to get malware. Anyone who got hit by this attack surly had it coming IMO.
With all the better alternatives out there, anybody who uses Adobe software deserve to get malware. Think of it as evolution in action.
Actually I was thinking the same thing but about ftp. I can't remember the last time I needed to use an ftp client. Must be at *least* 5 years ago - probably more.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.
Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.
We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.
Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).
It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.
A fool throws a stone into a well and a thousand sages can not remove it.
I haven't seen malware links on Google, but I'm wondering if I'm infected because I don't regularly update Flash on my laptop (I don't have Flash on my main PC).
Shame on you! Get a free reader that isn't so vulnerable.
That sounds like a pretty ineffective virus because no one in the history of the Internet has ever clicked a text ad, ever. Seriously. Name one person who has clicked AdSense on purpose. Name one person who has clicked AdSense and then bought something. I don't believe it has ever happened, other than a proof of concept at the Googolplex.
In their security alert, Adobe urges people to upgrade from Adobe Reader 9.1.0 to 9.1.1. If you install Reader from their main download site, they still give you 9.1.0. The 9.1.1 update is available only if you follow the links at the bottom of the security alert. Insecurity through obscurity!
What is is NSFW?
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I got to clean out a system with this about a week ago. It was really nasty.
The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.
Exciting, huh?
It's only an insult if it's not true.
People still use FTP? I'm not saying your totally safe with SFTP, but I haven't used FTP in I don't know how long! For ssh/sftp it's gotten to a point where I just use SCP command line, with the exception of connecting through Nautilus once in a while.
No scripts running on a Web page == no drive-by downloads
Unfortunately, with most 'modern' websites...
No scripts == no working links
No scripts == no images
And more often than not
No scripts == no content (blank page)
But you sure won't get drive-bys. Of course, just leaving the machine off has the exact same effect. And is about as useful.
(I use FF3 w/noscript, abp & noflash)
Good thing I never moved on from Altavista. I use Mapquest, my ISP e-mail, etc.
Every Google problem makes me laugh. I don't ever touch their services.
Then again, I'm still using WinZip 7.0, AIM 5.9, WinAmp 5.0, etc.
ZOMG! 9-11!
I see that they are taking advantage of unsecure websites and security holes to propagate this crap.
I have several websites that I regularly visit compromised by this.
May these people be sent somewhere experience long term "extraordinary rendition".
how does this affect my linux desktop ?
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
Its not redundant - the posters shouldn't use obscure abbreviations when people don't know what it means.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating