Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Download Poisons Google Search Results

Posted by timothy on from the monocultural-imperialism dept.

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

17 of 136 comments (clear)

  1. The Importance of Being Forgotten by eldavojohn · · Score: 5, Insightful

    ... that steals FTP login credentials ...

    About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.

    Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

    The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.

    --
    My work here is dung.
    1. Re:The Importance of Being Forgotten by Aladrin · · Score: 5, Insightful

      It's a pretty rare thing in the computer world to gain convenience without sacrificing security.

      In fact... Drop 'computer' out of that sentence and it's still true.

      It's all about a balancing act. You have to take risks to be efficient... It's just part of life.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    2. Re:The Importance of Being Forgotten by Anonymous Coward · · Score: 4, Interesting

      On the contrary, security without convenience is a myth. When "logging in" is an arcane protocol, then the user focuses on technical details instead of thinking about potential avenues of attack. Computers should handle the arbitrary and fiddly details and leave only the critical aspects to the user.

      The real problem with the security of credentials is that for some reason we're not willing to do the right thing, which is to encapsulate authentication in a small (and therefore easier to secure) subsystem, like a class 3 smart card reader.

    3. Re:The Importance of Being Forgotten by Abcd1234 · · Score: 4, Insightful

      Well, we all know how bulletproof secure Firefox is, right?

      More to the point, we all know how secure FTP is, right?

      Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?

    4. Re:The Importance of Being Forgotten by Anonymous Coward · · Score: 5, Funny

      Well, we all know how bulletproof secure Firefox is, right? Not very.

      Care to substantiate this? Firefox has a very good track record when it comes to security thanks to its quick responses to known vulnerabilities and patching almost all of them before they become publicly known.

      Sure, let me explain:

      1. I am snide.
      2. I am a bitter fanboy of another browser, which, for the sake of argument, I'll call... um... "Mop-er-ah".
      3. Firefox is more popular than my pet browser.
      4. By points 2 and 3 (and with help from 1), I am indier than thou.

      Therefore, it is obvious that I'm right and Firefox has a long-standing track record of swiss cheese security that any infant can get around from remote without the user even turning on the computer. QED.

      Next I'll tell you why spaghetti has a lousy track record in security issues. Right after I finish my stuffed pasta shells. Stupid spaghetti, stealing all the best features of stuffed pasta shells...

  2. Sophos by Spad · · Score: 5, Informative

    According to Sophos, this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.

  3. Re:Wouldn't... by ZirconCode · · Score: 4, Informative

    I guess this answers your question:

    "Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware"

    *sigh* Adobe...

  4. The problem is with Adobe... by vertinox · · Score: 5, Informative

    On OS X I don't even install the reader anymore.

    But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox

    Tools > Options > Applications

    Set all Adobe to always ask.

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)
    1. Re:The problem is with Adobe... by drinkypoo · · Score: 4, Informative

      Install mozplugger and you can use evince to view PDFs inside of Firefox. If you install it on Ubuntu it happens automtically. It will use acroread if it's installed, I think; it will also use kpdf if you happen to be on Kubuntu, and I think xpdf for Xubuntu.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. You hate it when PDFs freeze Firefox? by Norsefire · · Score: 4, Funny

    I hate it when PDFs freeze Acrobat Reader.

  6. DON'T CLICK LINK IN PARENT POST (NSFW) by Anonymous Coward · · Score: 5, Informative

    This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.

    Correct link is here.

  7. Re:Google Attacks by Opportunist · · Score: 5, Interesting

    Trojans that modify your browser's behaviour don't care for connections or encryption thereof, because the modification happens much higher in the chain. I had a trojan to dissect that literally changed your online banking information inside the browser. You saw that you're transfering A bucks to B, while the trojan sent to the bank you're transfering C bucks to D. The bank confirmed C bucks for D, and the browser asked the user for the confirmation code to send A bucks to B.

    As soon as the browser is under the control of malware, it can manipulate your input before it is encrypted and sent through the wire, and manipulate the output after it has been decrypted and before you get to see it.

    Locking down the browser would essentially also mean that you disable anything that can inject code into running processes (createremoteprocess and the like), as well as disallow browser plugins. I doubt many people would really want that.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:Wouldn't... by joelmax · · Score: 4, Interesting

    Some recent adobe confirmed exploits do this. In some cases, simply mousing over the file and getting the preview alledgedly can cause infection.

  9. 6 website infected with this last month by foniksonik · · Score: 5, Informative

    I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.

    Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.

    We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.

    Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).

    It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  10. Adobe Reader 9.1.1 not installed by default! by AxelBoldt · · Score: 5, Interesting

    In their security alert, Adobe urges people to upgrade from Adobe Reader 9.1.0 to 9.1.1. If you install Reader from their main download site, they still give you 9.1.0. The 9.1.1 update is available only if you follow the links at the bottom of the security alert. Insecurity through obscurity!

  11. I've seen this. by rincebrain · · Score: 5, Informative

    I got to clean out a system with this about a week ago. It was really nasty.

    The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.

    Exciting, huh?

    --
    It's only an insult if it's not true.
  12. Re:What is is NSFW? by Rashdot · · Score: 4, Funny

    Just scroogle it.

    --
    This is not the sig you're looking for.