The Web site compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, as well as search the victim's system for FTP credentials that can be used to compromise additional Web sites.
The domain was changed to martuz.cn before both domains were shut down. And now, the malware is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
"Fortunately, it appears the name servers themselves are being shut down," the company said in a statement. "However, even after Gumblar-related attacks subside, cyber criminals will still possess the botnet of infected computers obtained via Gumblar."
News 9 months ago
