The website compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with web traffic, a security firm said on Thursday.
The Gumblar attack started in March with websites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the UK, ScanSafe said last week.
As website operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, as well as search the victim's system for FTP credentials that can be used to compromise additional websites.
The domain was changed to martuz.cn before both domains were shut down. And now, the malware is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
"Fortunately, it appears the name servers themselves are being shut down," the company said in a statement. "However, even after Gumblar-related attacks subside, cybercriminals will still possess the botnet of infected computers obtained via Gumblar."
ScanSafe contends that Gumblar is worse than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network shares with weak passwords, as well as disabling security software and installing fake antivirus software.
Gumblar, which was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May, has more intrusive behaviour — it intercepts and monitors web traffic, and installs a data-theft Trojan that steals usernames and passwords from infected computers, ScanSafe said.
In addition, once a Conficker infection is remediated there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more websites, potentially exposing many more victims, the company said.
Talkback
A Whitelisting approach has gained prominence in recent years with hackers bypassing traditional perimeters to penetrate business critical data and systems.
As illustrated by the Gumblar attack, there is a new group of cybercriminals who are taking advantage of the weaknesses that arise from the dynamic threat environment. The reason why security incidents continue to rise is because the bad guys have evolved their attack methods to outwit our security defenses faster than we have responded to their attacks. They target organisations by making slight adjustments and tweaks to continually fool the signature based AV, firewalls and IPS technologies that most organisations have built their security defences around.
Previously, the prevailing thought was that it would be much easier to manage security at the gateway than individually locking down 1,000 endpoints. Today, security cannot be managed at the gateway because there are too many ways to get around these network-based defenses in this day and age. Organisations must secure the endpoint and manage what executables are running on that endpoint by adopting a whitelisting approach. More organisations will continue to look at alternative solutions outside of the traditional technologies such as AV and firewalls to manage critical risk.