LinkBack URL
About LinkBacks
Reply With QuoteSome more on it here: Gumblar .cn Exploit - 12 Facts About This Injected Script | Unmask Parasites. Blog.
They seem to indicate that it is spreading through weak ftp passwords. It's a tricky bugger too.
Just a heads up about a particularly aggressive compromise using FTP information stored on local machines to spread itself...
ScanSafe STAT Blog - ScanSafe STAT Blog - GumblarQ&A
ScanSafe STAT Blog - ScanSafe STAT Blog - Google SERPs Redirections Turn toBots
Thanks
Matt
Heart Internet
Some more on it here: Gumblar .cn Exploit - 12 Facts About This Injected Script | Unmask Parasites. Blog.
They seem to indicate that it is spreading through weak ftp passwords. It's a tricky bugger too.
Never email donotemail@WeAreSpammers.com
It's not so much that it's attacking weak passwords as much as the original virus infects the PC and actually sniffs the FTP traffic and either grabs the username and password through the FTP traffic stream or modifies your code as it's being sent to your website.
You see, FTP sends username and password as plain text so it's easily "sniffable". So you might have a real strong password, but it will still grab them, send them to a remote server where that server will then copy your website, modify the files and then reload your site.
We've seen everything from .htm, .html, .js and .php files all infected with malscripts. Some sites we've cleaned had over 2,500 files infected with malscripts.
Luckily we've been able to use regex expressions to find and remove the infectious malscripts.
It morphed over the weekend to martuz.cn, more info here: Martuz .cn - New Incarnation of the Gumblar Exploit. So What’s New? | Unmask Parasites. Blog.
Yes, it does seem to harvest FTP credentials. I'm not sure what the PC infection is.
Never email donotemail@WeAreSpammers.com
From what I can tell, the PC infection is partly looking for FTP details to exploit sites and partly so they can adjust the users Google search rankings. Seen various reports of it replacing Adwords, and other links with dodgy stuff.
For some reason it targets Adobe Flash and Reader exploits rather than the browser itself which seems like a bit of a roundabout way, but maybe that gets around FF and Chrome being more secure (in theory).
Best solution seems to be to keep AV upto date to prevent FTP bit, and make sure Adobe update has run to prevent SERP alterations. Sure they could start doing other things if they wanted to rather than simply changing links.
Trev
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Bookmarks