Gumblar Trojan drive-by exploits spike following Adobe update

By Robert Westervelt, News Editor 20 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Gumblar Trojan, responsible for stealing thousands of website FTP credentials earlier this year has returned, according to researchers, this time seeking out users who failed to deploy patches released last week by Adobe Systems Inc.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The malware exploit is spreading via legitimate websites, according to IBM's X-Force security team. It finds a way in by targeting website vulnerabilities, injecting code into pages that is designed to trip up visitors in drive-by attacks. The result is an increase in malicious PDF files.

IBM said Gumblar activity increased shortly after Adobe released an update patching 34 vulnerabilities, some critical to both its popular Adobe Reader and Acrobat PDF viewing software. A considerable increase in malicious PDF files was detected by IBM honeypots on Monday, passing a PDF exploit targeting Adobe Flash and also checking for unpatched vulnerabilities in Microsoft Office Web Components.

Gumblar Marutz: US-CERT warns of Gumblar, Martuz drive-by exploits: Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.  New Trojan stealing FTP credentials, attacking FTP websites: A new Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.  Web security gateways keep Web-based malware at bay: Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.

"All of these attacks are very recent and effective at compromising the client-side victim in an effort to propagate their malicious payload worldwide," the researchers wrote in a posting on the IBM X-Force Frequency X blog.

The researchers noted that Gumblar is likely continuing to use stolen FTP password credentials to compromise websites and set up its drive-by attack campaign. Security researchers noted in June that Gumblar harvested as many as 80,000 FTP passwords at the time. Victims infected with malware through the attacks are often hit with password-stealing malware.

Gumblar is also known as Gumblar Martuz, because the cybercriminals behind the attacks switched from China-based malicious domains to Martuz, domains based in the U.K.

The cybercriminals behind the malware exploit have slightly changed their method of infection. Once a hole is discovered in a website, malicious scripts and payloads are hosted directly on the compromised host. The previous Gumblar variant used a remote server to host the payload and malicious scripts, the IBM researchers said.

SearchSecurity radio:

The U.S. Computer Emergency Response Team (US-CERT) issued an advisory in May warning about the dangers posed by Gumblar. In it, US-CERT warned enterprises and consumers to install the latest updates for various Web applications, including Flash Player and Adobe Reader. The good news is that IBM endpoint and network intrusion prevention systems, as well as Symantec Corp. and other antivirus vendors, are blocking malware that attempts to exploit the known Web application vulnerabilities.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Some Facebook applications lead to Russian attack sites Web Application Security Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary