Gumblar attacks on Google search results intensifies

A new attack that peppers Google search results with malicious links is spreading quickly, the U.S. Computer Emergence Response Team warned on Monday.

The attack, which has intensified in recent days, can be found on several thousand legitimate Web sites, according to security experts. It targets known flaws in Adobe’s software and uses them to install a malicious program on victims’ machines, CERT said.

The program then steals FTP login credentials from victims and uses that information to spread further. It also hijacks the victim’s browser, replacing Google search results with links chosen by the attackers. Reports of the attacks follows last week’s systems crash that caused a widespread Google outage.

Security experts started tracking the attack in March, when it had infected several hundred Web sites, but in recent weeks the number of infected sites has jumped dramatically. The attack has been called Gumblar because at one point it used the Gumblar.cn domain, though on Monday it had switched to a different one.

Security vendor ScanSafe has counted more than 3,000 infected Web sites, up from around 800 just over a week ago.

That kind of continued growth is unusual, according to Mary Landesman, a senior security researcher with ScanSafe. Attackers have launched many widespread Web attacks over the past few years, but after a few months the total number of infected sites usually drops as Webmasters clean up their servers.

With Gumblar, more and more sites are now being infected. Landesman believes it’s because Gumblar’s creators have been good at obfuscating their attack code and making it harder to spot on infected sites. And because they’ve been stealing FTP login credentials, they’ve been able to use a few new tricks to get their software onto the sites.

“They’re doing things like changing folder permissions … and leaving behind multiple ways that they can get back into the server,” she said.

Spam trends for 2009:

What to look out for

Still, Web attacks have become so widespread that Gumblar remains a relatively small-scale phenomenon, according to Symantec Security Response Product Manager John Harrison. Last year, Symantec counted 18 million online attacks against its customers. With Gumblar, it has counted 10,000. “It’s really just another day with drive-by downloads,” he said. “There really are so many of these.”

Security experts say that if you’re using a fully-patched system with up-to-date security software, you should be protected from these attacks. To date, they’ve worked by hitting the victim with malicious PDF or Flash files.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now