Security Blog
May 2009 Archives
May 29, 2009
Gumblar: One Week Later
A week ago Gumblar officially became a major threat. You can read our report on Gumblar here (or just scroll down and look at the previous blog entry). Since then, it has only become more intrusive and evasive. The virus has shown no signs of slowing down. Although the original domains gumblar.cn and martuz.cn have been shutdown, new ones such as liteautotop.cn and autobestwestern.cn have taken their place. The injected scripts are now dynamically generated and created in a way to bypass virus scanner detection.
What Gumblar has shown us is how vulnerable we are against Web-based malware attacks. This along with Youtube, Facebook targeted malware is a clear indication that cyber criminals have shifted their focus to the Web. It's not just the anti-malware or data leak prevention technology that is having a hard time stopping Gumblar, but also the unawareness of your regular Joe as he is doing a Google search or browsing the Web. The Web is a dangerous place but the general public does not know that yet. that will be the biggest challenge for all of us to overcome moving forward.
Posted by: Pete at 5:48 PM
Categories: Malware , Viruses
May 20, 2009
Threat Lab Report: Web Virus Gumblar on the Rise
Recently we've noticed a Web-based virus named Gumblar (Trojan.JS.Agent.ace , Troj/redir-R) rapidly spreading on the Internet. This virus accounted for over 40% of all new Web site virus infections last week. Gumblar is a malicious script injected into legitimate web pages in order to load remote malicious content when the page is viewed.
Gumblar first infects Web sites by using stolen or weak FTP login credentials. Every infected site has its own modification of the script. When the script is executed, another script is silently loaded onto site visitors' computers and executed via a series of Adobe Acrobat Reader and Flash Player exploits. The malware then steals sensitive personal data and FTP logins used to infect even more Web sites.
Gumblar was first discovered in March. However, unlike other Web-based malware which gradually die off, it has seen tremendous growth recently. We feel that this is due to the following reasons:
1. The malware authors of Gumblar have continuously updated the virus, increasing the chances of it avoiding detection by anti-virus programs. For example, a short period after the server used to host the virus on the domain gumblar.cn was shutdown a new server at martuz.cn quickly took its place.
2. This particular virus is using a new and creative approach of propagation. The virus hijacks the Web browser of an infected machine, replacing Google search results with malicious links in attempt to steal sensitive data.
3. Gumblar steals FTP login credentials. Previously infected servers which have been cleaned of the virus have a high chance of re-infection.
To prevent being infected by this virus we recommend users to install the latest security patches and update your anti-virus programs to the latest definitions.
Posted by: Netgear Threat Lab at 5:26 PM
Categories: Malware , Netgear Threat Lab , Viruses
May 8, 2009
A Taste of Cyber Warfare
Brian Krebs on his Security Fix blog has posted an interesting read about the self destruction of a massive botnet, the botnet control tool that was used to do it, and the experience of a Webmaster whose Web server had been hacked and manipulated.
This story gives great insight as to what goes on in the underground world of cyber crime. It gives you an idea of just how much power these botnet controllers actually have. Now, this is a 100,000 node botnet (which is nothing to sneeze at), now what if the millions of PCs that are a part of the Kido (Conficker, Downadup) botnet all executed the "kill operating system" command... Can you imagine the chaos that will ensue when millions of people across the Internet can't boot into their Windows PCs anymore?
Posted by: Pete at 10:55 AM
Categories: General , Malware , Viruses
May 6, 2009
Swine Flu: Coming to a PC Near You
By now, you've all probably heard or read about the recent swine flu outbreak. Everyone here is on code orange swine flu alert. People are taking safety precautions (the right thing to do) so that this thing doesn't do too much damage. Well, it turns out we are not the only ones affected by this virus. Believe it or not, your PC is also at risk. Read more about it here and here.
Swine flu related spam and phishing attacks have already begun surfacing on the Internet. Some of these emails contain eye catching subject lines such as "First US swine flu victims!" or "Madonna caught swine flu!". Others claim to sell pharmaceuticals that cure or prevent swine flu and contain links to fake online drug sites. None of this should be any surprise as hot news items are almost always exploited by spammers see Richardson, Natasha.
Expect only more of these spam and phishing attacks exploiting swine flu in the coming weeks.
Posted by: Pete at 3:18 PM
Categories: General , Phishing , Spam
