The malware code dubbed Gumblar which first appeared in
March, has once again reared its ugly head after security experts
declared it dead in April.
Gumblar seeks to identify old, unchecked vulnerabilities on a PC
that browses a hacked site, installing malware where holes are
discovered. Successful attacks install malware that manipulates
Google search result pages when viewed by Internet Explorer,
presenting victims with links to fraudulent sites.
"For example, if a user is trying to visit Tennis.com via
Google, they may be directed to a fraudulent site designed to look
like Tennis.com, where a backdoor Trojan will be immediately
downloaded," internet security company ScanSafe reports.
"The Trojan could then allow cybercriminals control of the
victim's computer, leading to myriad security issues, including
personal data theft and stolen FTP credentials. Once cybercriminals
are in possession of a victim's FTP credentials, any sites that
victim manages can also be targeted for compromise - a common
malware propagation tactic."
ScanSafe reports that Gumblar attacks have risen by nearly 190%
in the past week, making it one of the fastest growing infections
on the web. So far around 2,300 sites are known to have been
affected.
Known as drive-by-download-attacks, these kinds of intrusions
typically go after browser plug-ins installed by software and don't
require opening or downloading anything.
ScanSafe said that Gumblar has largely targeted PDF and Flash
flaws discovered last year (such as APSA08-01 and APSB08-11), and
users are advised to update to the latest versions of Adobe
software. ScanSafe reports that Gumblar also takes advantage of old
MDAC vulnerabilities, and recommends that users download the latest
Microsoft updates.