Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Download Poisons Google Search Results

Posted by timothy on from the monocultural-imperialism dept.

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

5 of 136 comments (clear)

  1. Sophos by Spad · · Score: 5, Informative

    According to Sophos, this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.

  2. The problem is with Adobe... by vertinox · · Score: 5, Informative

    On OS X I don't even install the reader anymore.

    But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox

    Tools > Options > Applications

    Set all Adobe to always ask.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
  3. DON'T CLICK LINK IN PARENT POST (NSFW) by Anonymous Coward · · Score: 5, Informative

    This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.

    Correct link is here.

  4. 6 website infected with this last month by foniksonik · · Score: 5, Informative

    I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.

    Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.

    We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.

    Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).

    It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  5. I've seen this. by rincebrain · · Score: 5, Informative

    I got to clean out a system with this about a week ago. It was really nasty.

    The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.

    Exciting, huh?

    --
    It's only an insult if it's not true.