Drive-By Download Poisons Google Search Results

← Back to Stories (view on slashdot.org)

Drive-By Download Poisons Google Search Results

Posted by timothy on Tuesday May 19, 2009 @12:53AM from the monocultural-imperialism dept.

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

17 of 136 comments (clear)

Min score:

Reason:

Sort:

The Importance of Being Forgotten by eldavojohn · 2009-05-19 00:54 · Score: 5, Insightful

... that steals FTP login credentials ...

About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.

Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.

--
My work here is dung.
1. Re:The Importance of Being Forgotten by Aladrin · 2009-05-19 01:06 · Score: 5, Insightful
  
  It's a pretty rare thing in the computer world to gain convenience without sacrificing security.
  In fact... Drop 'computer' out of that sentence and it's still true.
  It's all about a balancing act. You have to take risks to be efficient... It's just part of life.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
2. Re:The Importance of Being Forgotten by morgan_greywolf · 2009-05-19 01:44 · Score: 2, Insightful
  
  Smart card readers are only as secure as the smart cards themselves.
  
  --
  My blog
3. Re:The Importance of Being Forgotten by Abcd1234 · 2009-05-19 01:45 · Score: 4, Insightful
  
  Well, we all know how bulletproof secure Firefox is, right?
  More to the point, we all know how secure FTP is, right?
  Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?
4. Re:The Importance of Being Forgotten by Anonymous Coward · 2009-05-19 02:14 · Score: 1, Insightful
  
  Well, we all know how bulletproof secure Firefox is, right?
  More to the point, we all know how secure FTP is, right?
  Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?
  Um, if you bothered to read his post, WinSCP and FireFTP are both SFTP or support it at least. And if he's connecting to other people's servers, what is he supposed to do? Ask them to move to SFTP before he will help or transfer?
5. Re:The Importance of Being Forgotten by BenoitRen · 2009-05-19 02:22 · Score: 2, Insightful
  
  Well, we all know how bulletproof secure Firefox is, right? Not very.
  
  Care to substantiate this? Firefox has a very good track record when it comes to security thanks to its quick responses to known vulnerabilities and patching almost all of them before they become publicly known.
6. Re:The Importance of Being Forgotten by CatBegemot · 2009-05-19 02:25 · Score: 2, Insightful
  
  "Smart card readers are only as secure as people using them" Here, fixed that for you. You're welcome.
7. Re:The Importance of Being Forgotten by Presto+Vivace · 2009-05-19 03:25 · Score: 2, Insightful
  
  Security that is too cumbersome with be ignored by users, they will us go-arounds that dispense with security all together. Ease of use is a critical part of security.
8. Re:The Importance of Being Forgotten by 117 · 2009-05-19 05:03 · Score: 2, Insightful
  
  Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.
  
  As you mentioned that you use Windows machines, why not just use Windows Explorer for FTP purposes?
Wouldn't... by Jaysyn · 2009-05-19 00:59 · Score: 2, Insightful

... Flashblock basically remove this exploits ability to infect your PC?

--
There is a war going on for your mind.
1. Re:Wouldn't... by Anonymous Coward · 2009-05-19 01:11 · Score: 2, Insightful
  
  I think Adobe (PDF and Flash) are the biggest nuisance to computers. I hate it when PDFs in firefox freeze the browser.
2. Re:Wouldn't... by Spatial · 2009-05-19 01:34 · Score: 3, Insightful
  
  Me too. It's crap anyway, so I turned it off and set FF to download PDFs to a folder instead.
  
  It's a good thing I got sick of it hanging actually, the whole PDF exploit thing came up a little after that. I still get randomly named PDFs downloading themselves sometimes, presumably they're exploit-loaded. Lately it occoured to me that, because Adobe includes a shell extension to render a preview image, simply selecting the file in Windows may be enough to trigger an exploit. Thoughts?
Re:Google Attacks by Anonymous Coward · 2009-05-19 01:43 · Score: 1, Insightful

Hey! Please mention if your URLs are NSFW next time! (scroogle isn't, some porn stuff)
Re:stuck with adobe by Norsefire · 2009-05-19 01:45 · Score: 2, Insightful

Consider an organisation, such as a newspaper or print company, where Adobe's software is the industry standard.
Re:The problem is with Adobe... by morgan_greywolf · 2009-05-19 01:48 · Score: 2, Insightful

Yep. My step-daughter is always saying things like "I hate Ubuntu! It makes you load the PDF in a separate application, not right in the browser like on Windows!"
It's a security thing! The Adobe plugins suck.
Another way to fix the whole thing is to just use NoScript. No scripts running on a Web page == no drive-by downloads.

--
My blog
Google Attacks (With Corrected Link) by Fantom42 · 2009-05-19 01:52 · Score: 2, Insightful

(Reposted with Correct Link)
As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?
For my mom, I ended up using http://www.scroogle.org/ to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.
When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now.
Re:The problem is with Adobe... by kju · 2009-05-19 03:06 · Score: 3, Insightful

> It's a security thing! The Adobe plugin suck.
Oh, it's a security thing. Really? Now please explain to me, why it is more
secure to open the PDF in the standalone Acrobat Reader running under the
same uid as your browser (and thus under the same uid as the standalone Reader).
It would be a security thing to use another PDF reader instead of Acrobat
Reader, but this has nothing to do with the fact if it is runs as a plugin
or not. You can both embed Acrobat Reader and other PDF readers into the
browser window in Linux.
So instead of using lame excuses to your step daugther, thus making her linux
experience bad and therefore make her dislike linux, just fix the damn box
to show the PDF inside the browser.