Log in

No account? Create an account
19 May 2009 @ 03:51 pm
Web attack that "poisons" Google results is spreading  
This is from Network World, with a link to US-CERT (U.S. Computer Emergency Readiness Team), so I am willing to treat it as legitimate, rather than a hoax. Since I don't understand all the details, I'm simply going to quote the Network World article.
Web attack that poisons Google results gets worse

The Gumblar attack has infected more than 3000 Web sites

By Robert McMillan , IDG News Service , 05/19/2009

A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergency Readiness Team warned on Monday.

The attack, which has intensified in recent days, can be found on several thousand legitimate Web sites, according to security experts. It targets known flaws in Adobe's software and uses them to install a malicious program on victims' machines, CERT said.


The program then steals FTP login credentials from victims and uses that information to spread further. It also hijacks the victim's browser, replacing Google search results with links chosen by the attackers.

Security experts started tracking the attack in March, when it had infected several hundred Web sites, but in recent weeks the number of infected sites has jumped dramatically. The attack has been called Gumblar because at one point it used the Gumblar.cn domain, though on Monday it had switched to a different one.

Security vendor ScanSafe has counted more than 3,000 infected Web sites, up from around 800 just over a week ago.


Security experts say that if you're using a fully-patched system with up-to-date security software, you should be protected from these attacks. To date, they've worked by hitting the victim with malicious PDF or Flash files. [emphasis mine]
seawaspseawasp on May 19th, 2009 08:29 pm (UTC)
Problem is if you're using a fully-patched system with up to date security software, you and the other three people like you really don't make up much of the network.
(Deleted comment)
guppiecatguppiecat on May 19th, 2009 10:19 pm (UTC)
While most of these are Windows specific, and you should be most OK, at least one of these attacks is cross platform for propagation and browser-based theft. It uses the Javascript hooks that are built into PDFs and Flash. If you're using Firefox (or whatever) on Linux (or whatever), you should still be running an antimalware system (I like Sophos, but ClamAV is good too) and running with reduced privs.

You should also have a separate browser (I use Opera) for connecting to specific high-risk sites like online banking and credit card management.

ETA: Now that I've thought about it a bit, it is possible for a cross-platform attack to harvest the passwords mentioned, if they're cached in your browser. It would also be wise to update Flash and Acrobat Reader and to look at any cached passwords and delete any that you don't need to have cached. IMO, the time saved by caching them does out outweigh the security risks.

Edited at 2009-05-19 10:27 pm (UTC)
une idee fixeideealisme on May 20th, 2009 08:22 am (UTC)
Thanks for the heads-up Janet. Might explain why AVG snarled up my Adobe dll the other day, saving me the trouble of checking!