US-CERT warns of Gumblar, Martuz drive-by exploits

Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.

Security researchers are warning of the latest malware exploits that seize on website flaws in an attempt to inject malicious JavaScript code and ultimately spread malware to unsuspecting visitors. 

"From our perspective, there's been so many of these that it is really just another new one in a long line of ones."

John Harrison, Group Project Manager, Symantec Security Response

The malware exploit, called Gumblar has been spreading onto websites through stolen FTP credentials, vulnerable Web applications and poor configuration settings, according to an advisory issued by the U.S. Computer Emergency Response Team (US-CERT). Visitors to corrupted websites who haven't applied updates to various Web applications, including Flash Player and Adobe Reader, could become victims to a drive-by malware download.

"This malware may be used by attackers to monitor network traffic and obtain sensitive information," the US-CERT said in its advisory. 

Latest Web attack techniques:

Short-lived Web malware: Fading fad or future trend? Attackers are increasingly spreading their malicious code through fly-by-night websites that seem legitimate to unsuspecting users, but are actually laden with malware.

Flash, PDF are growing malware targets: Security vendor Finjan reports a growing army of cybercriminals are buying cheap toolkits to exploit the Web.

Web security gateways keep Web-based malware at bay: Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.

The attacks are not new, but researchers are trying to figure out exactly how so many websites became infected by the javascript code, said John Harrison, group product manager for Symantec Security Response. Harrison said statistics from the Norton Community Watch, a program that collects security and application data from Norton antivirus users, logged about 10,000 attacks from the malicious Gumblar domain.

"From our perspective, there's been so many of these that it is really just another new one in a long line of ones," Harrison said. "Considering the number of attacks we saw and the number of different websites infected, this is somewhat small in comparison."

Symantec and other security vendors have been successfully blocking malware that attempts to exploit known Web application vulnerabilities. Security researchers have also detected most of the China-based Gumblar domains and have gotten them shut down to protect websites from falling victim, but according to Symantec, those behind the attack have recently switched domains to Martuz, malicious domains based in the UK.

"Drive-by downloads form mainstream websites are the number one way that consumers and users are being infected today," Harrison said. "It's easy for an attacker and unfortunately a lucrative way to try and get malware to do things on a website or to try and rig some of the advertising schemes that are out there." 

As much as 60% of all websites have a serious flaw that are used by attackers to spread malware or gain access to sensitive data, said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. Grossman said the state of website security is improving. But even high profile websites continue to be victimized by attackers, he said.

"Someone is going to find a way to get in," Grossman said. "That's why we've been talking about taking a multi-level approach to protect what you already have live and work with developers to improve coding before new sites are brought online."

In statistics released today, WhiteHat said websites its scans have a 65% chance of containing XSS bugs followed by information leakage and content spoofing errors.

Dig deeper on Web Application and Web 2.0 Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close