Slashdot Mirror
Drive-By Download Poisons Google Search Results
snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."
About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.
Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.
The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.
My work here is dung.
According to Sophos, this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.
I guess this answers your question:
"Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware"
*sigh* Adobe...
On OS X I don't even install the reader anymore.
But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox
Tools > Options > Applications
Set all Adobe to always ask.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I hate it when PDFs freeze Acrobat Reader.
Don't use FTP anyways for anything sensitive like uploading to your website. I used to do that, then got infected by a virus of sorts. What it did was sniff the (non-encrypted) FTP packets to steal credentials, then log in and replace all the index files on the server with its malware infected version.
That got me to of my websites to be infected and being blocked by Firefox/Google for being reported as attack sites. Now I only use SFTP/SCP.
You just got troll'd!
Me too. It's crap anyway, so I turned it off and set FF to download PDFs to a folder instead.
It's a good thing I got sick of it hanging actually, the whole PDF exploit thing came up a little after that. I still get randomly named PDFs downloading themselves sometimes, presumably they're exploit-loaded. Lately it occoured to me that, because Adobe includes a shell extension to render a preview image, simply selecting the file in Windows may be enough to trigger an exploit. Thoughts?
This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.
Correct link is here.
I got infected with this piece of shit (or some other very similar piece of shit) because malicious code on a website somehow forced Adobe Reader to open a PDF, although Foxit had been my default PDF reader for months (in conjunction with the PDF Download add-on, which was somehow circumvented as well).
Sure, I should have been suspicious instead of just annoyed at AR opening out of the blue. And sure, I should have uninstalled AR when I started using Foxit, instead of just letting it sit on my computer. This is just a warning to other people that are as stupid as me.
Trojans that modify your browser's behaviour don't care for connections or encryption thereof, because the modification happens much higher in the chain. I had a trojan to dissect that literally changed your online banking information inside the browser. You saw that you're transfering A bucks to B, while the trojan sent to the bank you're transfering C bucks to D. The bank confirmed C bucks for D, and the browser asked the user for the confirmation code to send A bucks to B.
As soon as the browser is under the control of malware, it can manipulate your input before it is encrypted and sent through the wire, and manipulate the output after it has been decrypted and before you get to see it.
Locking down the browser would essentially also mean that you disable anything that can inject code into running processes (createremoteprocess and the like), as well as disallow browser plugins. I doubt many people would really want that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Some recent adobe confirmed exploits do this. In some cases, simply mousing over the file and getting the preview alledgedly can cause infection.
I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.
Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.
We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.
Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).
It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.
A fool throws a stone into a well and a thousand sages can not remove it.
In their security alert, Adobe urges people to upgrade from Adobe Reader 9.1.0 to 9.1.1. If you install Reader from their main download site, they still give you 9.1.0. The 9.1.1 update is available only if you follow the links at the bottom of the security alert. Insecurity through obscurity!
I got to clean out a system with this about a week ago. It was really nasty.
The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.
Exciting, huh?
It's only an insult if it's not true.
Just scroogle it.
This is not the sig you're looking for.