Drive-By Download Poisons Google Search Results

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

Re:The Importance of Being Forgotten

[Anonymous Coward]

On the contrary, security without convenience is a myth. When "logging in" is an arcane protocol, then the user focuses on technical details instead of thinking about potential avenues of attack. Computers should handle the arbitrary and fiddly details and leave only the critical aspects to the user.

The real problem with the security of credentials is that for some reason we're not willing to do the right thing, which is to encapsulate authentication in a small (and therefore easier to secure) subsystem, like a class 3 smart card reader.

Re:Wouldn't...

[averner]

This is pretty much the only reason I use Chrome rather than Firefox - Chrome freezes less often when something in it acts slow.

Re:Google Attacks

[Opportunist]

Trojans that modify your browser's behaviour don't care for connections or encryption thereof, because the modification happens much higher in the chain. I had a trojan to dissect that literally changed your online banking information inside the browser. You saw that you're transfering A bucks to B, while the trojan sent to the bank you're transfering C bucks to D. The bank confirmed C bucks for D, and the browser asked the user for the confirmation code to send A bucks to B.

As soon as the browser is under the control of malware, it can manipulate your input before it is encrypted and sent through the wire, and manipulate the output after it has been decrypted and before you get to see it.

Locking down the browser would essentially also mean that you disable anything that can inject code into running processes (createremoteprocess and the like), as well as disallow browser plugins. I doubt many people would really want that.

Re:Wouldn't...

[joelmax]

Some recent adobe confirmed exploits do this. In some cases, simply mousing over the file and getting the preview alledgedly can cause infection.

Re:You're still using Adobe Reader?

[andi75]

Which one should I use? Is FoxIt's reader any better? I suspect it also has some vulnerabilities but gets less attention from the bad guys because Acrobat's Reader is much mode widely used.

Adobe Reader 9.1.1 not installed by default!

[AxelBoldt]

In their security alert [adobe.com], Adobe urges people to upgrade from Adobe Reader 9.1.0 to 9.1.1. If you install Reader from their main download site, they still give you 9.1.0. The 9.1.1 update is available only if you follow the links at the bottom of the security alert. Insecurity through obscurity!

Re:The problem is with Adobe...

[smoker2]

Is PDF a web format ? If not then use a separate app to view them. The browser is not supposed to do everything. I have no plugins for PDF in my linux browser and my experience doesn't suck. Next you'll be wanting MS word to be viewable in the browser. Wanting something, and it being a good idea are sometimes very far removed. She probably wants a pony too, try getting that to run in a browser !

There seems to be no word about this attack working under linux anyway.