Drive-By Download Poisons Google Search Results

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

The Importance of Being Forgotten

[eldavojohn]

... that steals FTP login credentials ...

About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.

Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.

Re:The Importance of Being Forgotten

[Aladrin]

It's a pretty rare thing in the computer world to gain convenience without sacrificing security.

In fact... Drop 'computer' out of that sentence and it's still true.

It's all about a balancing act. You have to take risks to be efficient... It's just part of life.

Re:The Importance of Being Forgotten

[Abcd1234]

Well, we all know how bulletproof secure Firefox is, right?

More to the point, we all know how secure FTP is, right?

Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?

Re:Wouldn't...

[Spatial]

Me too. It's crap anyway, so I turned it off and set FF to download PDFs to a folder instead.

It's a good thing I got sick of it hanging actually, the whole PDF exploit thing came up a little after that. I still get randomly named PDFs downloading themselves sometimes, presumably they're exploit-loaded. Lately it occoured to me that, because Adobe includes a shell extension to render a preview image, simply selecting the file in Windows may be enough to trigger an exploit. Thoughts?

Re:The problem is with Adobe...

[kju]

> It's a security thing! The Adobe plugin suck.

Oh, it's a security thing. Really? Now please explain to me, why it is more
secure to open the PDF in the standalone Acrobat Reader running under the
same uid as your browser (and thus under the same uid as the standalone Reader).

It would be a security thing to use another PDF reader instead of Acrobat
Reader, but this has nothing to do with the fact if it is runs as a plugin
or not. You can both embed Acrobat Reader and other PDF readers into the
browser window in Linux.

So instead of using lame excuses to your step daugther, thus making her linux
experience bad and therefore make her dislike linux, just fix the damn box
to show the PDF inside the browser.