The Gumblar Trojan, responsible for stealing thousands of website FTP credentials earlier this year has returned, according to researchers, this time seeking out users who failed to deploy patches released last week by Adobe Systems Inc.
The malware exploit is spreading via legitimate websites, according to IBM's X-Force security team. It finds a way in by targeting website vulnerabilities, injecting code into pages that is designed to trip up visitors in drive-by attacks. The result is an increase in malicious PDF files.
IBM said Gumblar activity increased shortly after Adobe released an update patching 34 vulnerabilities, some critical to both its popular Adobe Reader and Acrobat PDF viewing software. A considerable increase in malicious PDF files was detected by IBM honeypots on Monday, passing a PDF exploit targeting Adobe Flash and also checking for unpatched vulnerabilities in Microsoft Office Web Components.
US-CERT warns of Gumblar, Martuz drive-by exploits: Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.
New Trojan stealing FTP credentials, attacking FTP websites: A new Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.
Web security gateways keep Web-based malware at bay: Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.
"All of these attacks are very recent and effective at compromising the client-side victim in an effort to propagate their malicious payload worldwide," the researchers wrote in a posting on the IBM X-Force Frequency X blog.
The researchers noted that Gumblar is likely continuing to use stolen FTP password credentials to compromise websites and set up its drive-by attack campaign. Security researchers noted in June that Gumblar harvested as many as 80,000 FTP passwords at the time. Victims infected with malware through the attacks are often hit with password-stealing malware.
Gumblar is also known as Gumblar Martuz, because the cybercriminals behind the attacks switched from China-based malicious domains to Martuz, domains based in the U.K.
The cybercriminals behind the malware exploit have slightly changed their method of infection. Once a hole is discovered in a website, malicious scripts and payloads are hosted directly on the compromised host. The previous Gumblar variant used a remote server to host the payload and malicious scripts, the IBM researchers said.
The U.S. Computer Emergency Response Team (US-CERT) issued an advisory in May warning about the dangers posed by Gumblar. In it, US-CERT warned enterprises and consumers to install the latest updates for various Web applications, including Flash Player and Adobe Reader. The good news is that IBM endpoint and network intrusion prevention systems, as well as Symantec Corp. and other antivirus vendors, are blocking malware that attempts to exploit the known Web application vulnerabilities.