US-CERT warns of Gumblar, Martuz drive-by exploits

By Robert Westervelt, News Editor 19 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security researchers are warning of the latest malware exploits that seize on website flaws in an attempt to inject malicious JavaScript code and ultimately spread malware to unsuspecting visitors.

From our perspective, there's been so many of these that it is really just another new one in a long line of ones. John Harrison, group project manager, Symantec Security Response

The malware exploit, called Gumblar has been spreading onto websites through stolen FTP credentials, vulnerable Web applications and poor configuration settings, according to an advisory issued by the U.S. Computer Emergency Response Team (US-CERT). Visitors to corrupted websites who haven't applied updates to various Web applications, including Flash Player and Adobe Reader, could become victims to a drive-by malware download.

"This malware may be used by attackers to monitor network traffic and obtain sensitive information," the US-CERT said in its advisory.

Latest Web attack techniques: Short-lived Web malware: Fading fad or future trend? Attackers are increasingly spreading their malicious code through fly-by-night websites that seem legitimate to unsuspecting users, but are actually laden with malware. Flash, PDF are growing malware targets: Security vendor Finjan reports a growing army of cybercriminals are buying cheap toolkits to exploit the Web. Web security gateways keep Web-based malware at bay: Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.

The attacks are not new, but researchers are trying to figure out exactly how so many websites became infected by the javascript code, said John Harrison, group product manager for Symantec Security Response. Harrison said statistics from the Norton Community Watch, a program that collects security and application data from Norton antivirus users, logged about 10,000 attacks from the malicious Gumblar domain.

"From our perspective, there's been so many of these that it is really just another new one in a long line of ones," Harrison said. "Considering the number of attacks we saw and the number of different websites infected, this is somewhat small in comparison."

Symantec and other security vendors have been successfully blocking malware that attempts to exploit known Web application vulnerabilities. Security researchers have also detected most of the China-based Gumblar domains and have gotten them shut down to protect websites from falling victim, but according to Symantec, those behind the attack have recently switched domains to Martuz, malicious domains based in the UK.

"Drive-by downloads form mainstream websites are the number one way that consumers and users are being infected today," Harrison said. "It's easy for an attacker and unfortunately a lucrative way to try and get malware to do things on a website or to try and rig some of the advertising schemes that are out there."

SearchSecurity radio:

As much as 60% of all websites have a serious flaw that are used by attackers to spread malware or gain access to sensitive data, said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. Grossman said the state of website security is improving. But even high profile websites continue to be victimized by attackers, he said.

"Someone is going to find a way to get in," Grossman said. "That's why we've been talking about taking a multi-level approach to protect what you already have live and work with developers to improve coding before new sites are brought online."

In statistics released today, WhiteHat said websites its scans have a 65% chance of containing XSS bugs followed by information leakage and content spoofing errors.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Web Browser Security InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary