John Harrison, Group Project Manager, Symantec Security Response
The malware exploit, called Gumblar has been spreading onto websites through stolen FTP credentials, vulnerable Web applications and poor configuration settings, according to an advisory issued by the U.S. Computer Emergency Response Team (US-CERT). Visitors to corrupted websites who haven't applied updates to various Web applications, including Flash Player and Adobe Reader, could become victims to a drive-by malware download.
"This malware may be used by attackers to monitor network traffic and obtain sensitive information," the US-CERT said in its advisory.
Latest Web attack techniques:
Flash, PDF are growing malware targets: Security vendor Finjan reports a growing army of cybercriminals are buying cheap toolkits to exploit the Web.
Web security gateways keep Web-based malware at bay: Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.
"From our perspective, there's been so many of these that it is really just another new one in a long line of ones," Harrison said. "Considering the number of attacks we saw and the number of different websites infected, this is somewhat small in comparison."
Symantec and other security vendors have been successfully blocking malware that attempts to exploit known Web application vulnerabilities. Security researchers have also detected most of the China-based Gumblar domains and have gotten them shut down to protect websites from falling victim, but according to Symantec, those behind the attack have recently switched domains to Martuz, malicious domains based in the UK.
"Drive-by downloads form mainstream websites are the number one way that consumers and users are being infected today," Harrison said. "It's easy for an attacker and unfortunately a lucrative way to try and get malware to do things on a website or to try and rig some of the advertising schemes that are out there."
As much as 60% of all websites have a serious flaw that are used by attackers to spread malware or gain access to sensitive data, said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. Grossman said the state of website security is improving. But even high profile websites continue to be victimized by attackers, he said.
"Someone is going to find a way to get in," Grossman said. "That's why we've been talking about taking a multi-level approach to protect what you already have live and work with developers to improve coding before new sites are brought online."
In statistics released today, WhiteHat said websites its scans have a 65% chance of containing XSS bugs followed by information leakage and content spoofing errors.