Drive-By Download Poisons Google Search Results 136
snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."
Re:The Importance of Being Forgotten (Score:4, Interesting)
On the contrary, security without convenience is a myth. When "logging in" is an arcane protocol, then the user focuses on technical details instead of thinking about potential avenues of attack. Computers should handle the arbitrary and fiddly details and leave only the critical aspects to the user.
The real problem with the security of credentials is that for some reason we're not willing to do the right thing, which is to encapsulate authentication in a small (and therefore easier to secure) subsystem, like a class 3 smart card reader.
Re:Wouldn't... (Score:3, Interesting)
Re:Google Attacks (Score:5, Interesting)
Trojans that modify your browser's behaviour don't care for connections or encryption thereof, because the modification happens much higher in the chain. I had a trojan to dissect that literally changed your online banking information inside the browser. You saw that you're transfering A bucks to B, while the trojan sent to the bank you're transfering C bucks to D. The bank confirmed C bucks for D, and the browser asked the user for the confirmation code to send A bucks to B.
As soon as the browser is under the control of malware, it can manipulate your input before it is encrypted and sent through the wire, and manipulate the output after it has been decrypted and before you get to see it.
Locking down the browser would essentially also mean that you disable anything that can inject code into running processes (createremoteprocess and the like), as well as disallow browser plugins. I doubt many people would really want that.
Re:Wouldn't... (Score:4, Interesting)
Re:You're still using Adobe Reader? (Score:3, Interesting)
Which one should I use? Is FoxIt's reader any better? I suspect it also has some vulnerabilities but gets less attention from the bad guys because Acrobat's Reader is much mode widely used.
Adobe Reader 9.1.1 not installed by default! (Score:5, Interesting)
Re:The problem is with Adobe... (Score:4, Interesting)
There seems to be no word about this attack working under linux anyway.