Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Download Poisons Google Search Results

Posted by timothy on from the monocultural-imperialism dept.

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

21 of 136 comments (clear)

  1. Sophos by Spad · · Score: 5, Informative

    According to Sophos, this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.

  2. Re:Wouldn't... by ZirconCode · · Score: 4, Informative

    I guess this answers your question:

    "Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware"

    *sigh* Adobe...

  3. The problem is with Adobe... by vertinox · · Score: 5, Informative

    On OS X I don't even install the reader anymore.

    But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox

    Tools > Options > Applications

    Set all Adobe to always ask.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
    1. Re:The problem is with Adobe... by drinkypoo · · Score: 4, Informative

      Install mozplugger and you can use evince to view PDFs inside of Firefox. If you install it on Ubuntu it happens automtically. It will use acroread if it's installed, I think; it will also use kpdf if you happen to be on Kubuntu, and I think xpdf for Xubuntu.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:The problem is with Adobe... by rhizome · · Score: 2, Informative

      or just use foxit

      same bug

      --
      When I was a kid, we only had one Darth.
  4. Don't use FTP anyways by 4D6963 · · Score: 3, Informative

    Don't use FTP anyways for anything sensitive like uploading to your website. I used to do that, then got infected by a virus of sorts. What it did was sniff the (non-encrypted) FTP packets to steal credentials, then log in and replace all the index files on the server with its malware infected version.

    That got me to of my websites to be infected and being blocked by Firefox/Google for being reported as attack sites. Now I only use SFTP/SCP.

    --
    You just got troll'd!
  5. Re:The Importance of Being Forgotten by _LORAX_ · · Score: 3, Informative

    ssh keys with passwords are the best bet. Run an agent so you only have to give your password occasionally and there really is not a lot to steal. They can take the private keyfile, but without the password it is useless. They can use ssh/scp on your behalf, but only until the session ends.

    Putty has an agent for windows, OSX Leopard has an agent integrated with keychain, and Linux has agents that integrate with PAM. OSX and Linux allow it to be SSO with little risk of password/credential theft.

  6. DON'T CLICK LINK IN PARENT POST (NSFW) by Anonymous Coward · · Score: 5, Informative

    This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.

    Correct link is here.

    1. Re:DON'T CLICK LINK IN PARENT POST (NSFW) by Anonymous Coward · · Score: 1, Informative

      You understand that now, thanks to you, people will intentionally click on the OP's link. And fill firefox with tabs from that page. For about 5 minutes or so.

  7. A little warning by Anonymous Coward · · Score: 3, Informative

    I got infected with this piece of shit (or some other very similar piece of shit) because malicious code on a website somehow forced Adobe Reader to open a PDF, although Foxit had been my default PDF reader for months (in conjunction with the PDF Download add-on, which was somehow circumvented as well).

    Sure, I should have been suspicious instead of just annoyed at AR opening out of the blue. And sure, I should have uninstalled AR when I started using Foxit, instead of just letting it sit on my computer. This is just a warning to other people that are as stupid as me.

  8. Re:The Importance of Being Forgotten by Anubis350 · · Score: 3, Informative

    if they have can use ssh from your existing session they can: cat $NEW_PUBLIC_KEY >> ~/.ssh/authorized_keys

    --
    "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
  9. Re:The Importance of Being Forgotten by gparent · · Score: 3, Informative

    Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

    You realise FireZilla makes this 100 times easier and is just as secure, right?

  10. 6 website infected with this last month by foniksonik · · Score: 5, Informative

    I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.

    Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.

    We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.

    Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).

    It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  11. Re:Wouldn't... by TheP4st · · Score: 2, Informative
    TFA says:

    Security experts say that if you're using a fully patched system with up-to-date security software, you should be protected from these attacks. To date, they've worked by hitting the victim with malicious PDF or Flash files.

    --
    "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  12. Re:Google Attacks by LordLimecat · · Score: 2, Informative

    It does care for connections--ive seen this particular infection, and it doesnt care what browsers you install, or whether you install new ones, or use firefox portable. If http traffic leaves the computer for google | yahoo | live et al., it gets modified enroute. You get returned legitimate results in the correct order, but all the links are redirected to another site. Its browser-agnostic. I would imagine that it wouldnt care about encryption, since its on your computer and it could just do the injection after decryption takes place.

  13. What is is NSFW? by Snaller · · Score: 1, Informative

    What is is NSFW?

    --
    If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
  14. I've seen this. by rincebrain · · Score: 5, Informative

    I got to clean out a system with this about a week ago. It was really nasty.

    The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.

    Exciting, huh?

    --
    It's only an insult if it's not true.
  15. Re:Google Attacks by afxgrin · · Score: 2, Informative

    Hey - thanks for the link to a nice website. :-)

  16. Re:You're still using Adobe Reader? by fluffman86 · · Score: 2, Informative

    In Windows, I like Sumatra. It's smaller and faster than Foxit, and doesn't allow javascript and crap that causes problems in Adobe Reader. It does, however, sometimes have trouble rendering some more complicated pdf's, but you could always keep foxit around for that rare occasion.

  17. Re:The Importance of Being Forgotten by PitaBred · · Score: 2, Informative

    I tend to make authorized_keys2 read-only, and owned by root. I can change that if I need to add another key, but that's so rare that it's well worth the extra security.

    --
    My blog. Good stuff (when I remember to update it). Read it.
  18. Re:The Importance of Being Forgotten by BenoitRen · · Score: 2, Informative

    You make a good point. There's one thing that I find fault with, though:

    I hope HTML + CSS + ECMA stop being constantly updated

    Where do you see constant updates? HTML 4.01 has been out since 1997 or so. CSS2 has been out since 1998. HTML5, CSS2.1 and CSS3 are still in draft stage, though I will admit that CSS2.1 has been close to completion for quite some time now, which makes it valid for implementation.

    I can't argue about ECMAScript. It seems to get an update a little quicker than the previously-mentioned technologies, though.