Drive-By Download Poisons Google Search Results 136
snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."
The Importance of Being Forgotten (Score:5, Insightful)
About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.
Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.
The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.
Wouldn't... (Score:3, Insightful)
... Flashblock basically remove this exploits ability to infect your PC?
Re:The Importance of Being Forgotten (Score:5, Insightful)
It's a pretty rare thing in the computer world to gain convenience without sacrificing security.
In fact... Drop 'computer' out of that sentence and it's still true.
It's all about a balancing act. You have to take risks to be efficient... It's just part of life.
Re:Wouldn't... (Score:2, Insightful)
Re:Wouldn't... (Score:4, Insightful)
It's a good thing I got sick of it hanging actually, the whole PDF exploit thing came up a little after that. I still get randomly named PDFs downloading themselves sometimes, presumably they're exploit-loaded. Lately it occoured to me that, because Adobe includes a shell extension to render a preview image, simply selecting the file in Windows may be enough to trigger an exploit. Thoughts?
Re:Google Attacks (Score:1, Insightful)
Re:The Importance of Being Forgotten (Score:2, Insightful)
Smart card readers are only as secure as the smart cards themselves.
Re:The Importance of Being Forgotten (Score:5, Insightful)
Well, we all know how bulletproof secure Firefox is, right?
More to the point, we all know how secure FTP is, right?
Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?
Re:stuck with adobe (Score:3, Insightful)
Re:The problem is with Adobe... (Score:2, Insightful)
Yep. My step-daughter is always saying things like "I hate Ubuntu! It makes you load the PDF in a separate application, not right in the browser like on Windows!"
It's a security thing! The Adobe plugins suck.
Another way to fix the whole thing is to just use NoScript. No scripts running on a Web page == no drive-by downloads.
Google Attacks (With Corrected Link) (Score:2, Insightful)
(Reposted with Correct Link)
As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?
For my mom, I ended up using http://www.scroogle.org/ [scroogle.org] to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.
When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now.
Re:The Importance of Being Forgotten (Score:1, Insightful)
Well, we all know how bulletproof secure Firefox is, right?
More to the point, we all know how secure FTP is, right?
Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?
Um, if you bothered to read his post, WinSCP and FireFTP are both SFTP or support it at least. And if he's connecting to other people's servers, what is he supposed to do? Ask them to move to SFTP before he will help or transfer?
Re:The Importance of Being Forgotten (Score:2, Insightful)
Care to substantiate this? Firefox has a very good track record when it comes to security thanks to its quick responses to known vulnerabilities and patching almost all of them before they become publicly known.
Re:The Importance of Being Forgotten (Score:2, Insightful)
Re:The problem is with Adobe... (Score:4, Insightful)
> It's a security thing! The Adobe plugin suck.
Oh, it's a security thing. Really? Now please explain to me, why it is more
secure to open the PDF in the standalone Acrobat Reader running under the
same uid as your browser (and thus under the same uid as the standalone Reader).
It would be a security thing to use another PDF reader instead of Acrobat
Reader, but this has nothing to do with the fact if it is runs as a plugin
or not. You can both embed Acrobat Reader and other PDF readers into the
browser window in Linux.
So instead of using lame excuses to your step daugther, thus making her linux
experience bad and therefore make her dislike linux, just fix the damn box
to show the PDF inside the browser.
Re:The Importance of Being Forgotten (Score:3, Insightful)
Re:The Importance of Being Forgotten (Score:2, Insightful)
Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.
As you mentioned that you use Windows machines, why not just use Windows Explorer for FTP purposes?