The best way IT managers can protect against the rapidly spreading Gumblar attack, which some security experts now say contributes to nearly half the malware on the Web, is to simply use common sense.
“Realistically, malware has become a pretty well understood threat and is also a pretty easily resolved threat,” said James Quin, senior research analyst with London, Ont.-based Info-Tech Research Group Ltd. “In the vast majority of cases malware infection and spread can be easily prevented with a little judicious patching.”
For IT managers who haven’t kept up to date on this fast spreading attack, also known as JSRedir-R, Gumblar works by embedding itself via malicious JavaScript code into Web sites and then infecting users who visit the infected pages. Once a PC has been exposed to the malicious code, Gumblar diverts the users’ Google search engine results to point to malware and phishing sites.
The attack has the potential to affect IT managers twice, Quin said: First, on the endpoints that might visit a Gumblar-infected site, and then on enterprise Web servers that are hacked to serve as a Gumblar distribution point.
“The endpoint component is likely the portion that most folks will worry about, but that carries the least amount of threat,” Quin said. “As long as IT managers have made sure that their desktops and laptops are kept up-to-date with patches, then they shouldn’t be worried (because) Gumblar exploits known vulnerabilities in Flash and Acrobat Reader.”
The Web server component could give IT managers a bit more trouble, he added, as these servers are usually found in less secure network DMZ. IT administrators should make sure that “any Web servers they have are patched, protected by strong access controls (or complex passwords), and are reviewed for threats and vulnerabilities on a regular basis,” Quin added.
As of last week, San Francisco-based security vendor ScanSafe Inc. had counted more than 3,000 Gumblar-infected Web sites, up from around 800 the previous week. Attackers have launched many widespread Web attacks over the past few years, but typically after a few months the total number of infected sites usually drops as Web site administrators clean up their servers, said Mary Landesman, a senior security researcher with ScanSafe.
But with more sites being attacked by Gumblar, the creators of the virus have been extremely effective at obfuscating their attack code and making it harder to spot on infected sites, she added. And because they've been stealing FTP login credentials from infected users, they've been able to use a few new tricks to get their software onto the sites. “They're doing things like changing folder permissions … and leaving behind multiple ways that they can get back into the server,” she said.
For IT shops, worrying about how many Web sites have fallen victim to the attack and getting caught up in the Gumblar hype machine is counterproductive. Instead, IT administrators need to focus on the fundamentals.
According to Quin that includes rigorous patching procedures on all enterprise devices, maintaining up-to-date anti-malware infrastructure at the gateway and the endpoint, configuring network firewalls to restrict outbound traffic, and instituting an in-house vulnerability scanning program to ensure that weaknesses are detected before they cause damage.
– With files from IDG News Service