Gumblar Trojan drive-by exploits spike following Adobe update

By Robert Westervelt, News Editor, SearchSecurity.com 21 Oct 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

The Gumblar Trojan, responsible for stealing thousands of website FTP credentials earlier this year has returned, according to researchers, this time seeking out users who failed to deploy patches released last week by Adobe Systems Inc.

The malware exploit is spreading via legitimate websites, according to IBM's X-Force security team. It finds a way in by targeting website vulnerabilities, injecting code into pages that is designed to trip up visitors in drive-by attacks. The result is an increase in malicious PDF files.

IBM said Gumblar activity increased shortly after Adobe released an update patching 34 vulnerabilities, some critical to both its popular Adobe Reader and Acrobat PDF viewing software. A considerable increase in malicious PDF files was detected by IBM honeypots on Monday, passing a PDF exploit targeting Adobe Flash and also checking for unpatched vulnerabilities in Microsoft Office Web Components.

"All of these attacks are very recent and effective at compromising the client-side victim in an effort to propagate their malicious payload worldwide," the researchers wrote in a posting on the IBM X-Force Frequency X blog.

The researchers noted that Gumblar is likely continuing to use stolen FTP password credentials to compromise websites and set up its drive-by attack campaign. Security researchers noted in June that Gumblar harvested as many as 80,000 FTP passwords at the time. Victims infected with malware through the attacks are often hit with password-stealing malware.

Gumblar is also known as Gumblar Martuz, because the cybercriminals behind the attacks switched from China-based malicious domains to Martuz, domains based in the U.K.

The cybercriminals behind the malware exploit have slightly changed their method of infection. Once a hole is discovered in a website, malicious scripts and payloads are hosted directly on the compromised host. The previous Gumblar variant used a remote server to host the payload and malicious scripts, the IBM researchers said.

SearchSecurity radio:

The U.S. Computer Emergency Response Team (US-CERT) issued an advisory in May warning about the dangers posed by Gumblar. In it, US-CERT warned enterprises and consumers to install the latest updates for various Web applications, including Flash Player and Adobe Reader. The good news is that IBM endpoint and network intrusion prevention systems, as well as Symantec Corp. and other antivirus vendors, are blocking malware that attempts to exploit the known Web application vulnerabilities.

Tags: Application and Web threat defenses,  Hacking countermeasures,  Viruses, worms, spyware, and other malware,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application and Web threat defenses How to address HIPAA data encryption security challenges Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Hacking countermeasures How to address HIPAA data encryption security challenges Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Noted cryptographer on SSL, encryption and cloud computing Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Viruses, worms, spyware, and other malware Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Configuring a Windows network infrastructure: Wired, wireless security A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary man-in-the-middle (MitM) attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary