Gumblar Trojan drive-by exploits spike following Adobe update
By Robert Westervelt, News Editor, SearchSecurity.com
21 Oct 2009 | searchSecurity.in
The Gumblar Trojan, responsible for stealing thousands of website FTP credentials earlier this year has returned, according to researchers, this time seeking out users who failed to deploy patches released last week by Adobe Systems Inc.
The malware exploit is spreading via legitimate websites, according to IBM's X-Force security team. It finds a way in by targeting website vulnerabilities, injecting code into pages that is designed to trip up visitors in drive-by attacks. The result is an increase in malicious PDF files.
IBM said Gumblar activity increased shortly after Adobe released an update patching 34 vulnerabilities, some critical to both its popular Adobe Reader and Acrobat PDF viewing software. A considerable increase in malicious PDF files was detected by IBM honeypots on Monday, passing a PDF exploit targeting Adobe Flash and also checking for unpatched vulnerabilities in Microsoft Office Web Components.
"All of these attacks are very recent and effective at compromising the client-side victim in an effort to propagate their malicious payload worldwide," the researchers wrote in a posting on the IBM X-Force Frequency X blog.
The researchers noted that Gumblar is likely continuing to use stolen FTP password credentials to compromise websites and set up its drive-by attack campaign. Security researchers noted in June that Gumblar harvested as many as 80,000 FTP passwords at the time. Victims infected with malware through the attacks are often hit with password-stealing malware.
Gumblar is also known as Gumblar Martuz, because the cybercriminals behind the attacks switched from China-based malicious domains to Martuz, domains based in the U.K.
The cybercriminals behind the malware exploit
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
TechTarget cares about your privacy. Read our Privacy Policy
have slightly changed their method of infection. Once a hole is discovered in a website, malicious scripts and payloads are hosted directly on the compromised host. The previous Gumblar variant used a remote server to host the payload and malicious scripts, the IBM researchers said.
|
 |
The U.S. Computer Emergency Response Team (US-CERT) issued an advisory in May warning about the dangers posed by Gumblar. In it, US-CERT warned enterprises and consumers to install the latest updates for various Web applications, including Flash Player and Adobe Reader. The good news is that IBM endpoint and network intrusion prevention systems, as well as Symantec Corp. and other antivirus vendors, are blocking malware that attempts to exploit the known Web application vulnerabilities.