The website compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with web traffic, a security firm said on Thursday.
The Gumblar attack started in March with websites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the UK, ScanSafe said last week.
As website operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, as well as search the victim's system for FTP credentials that can be used to compromise additional websites.
Welcome to Our Community
Wanting to join the rest of our members? Feel free to sign up today.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Attention: "role based name" email prefixes such as support, webmaster, info, contact, forum, service, affiliate, admin, traffic, partners, marketing, etc., for our member accounts are not permitted. They are acceptable for a vendor listing, but not for the member email. This is due to bulk email processors scrubbing them for delivery due to extremely high bounce rates. Please apply for membership using a personalized email prefix. Something like bob@xxxxx.com.
If we discover you signed up with a role based name we will give you only one message to change it. After 3 days your account will be removed if the email is not changed.
