(Excerpt from an article
by Susan Bradley)
Going by such names as Gumblar, JSRedir-R,
Martuz, and Beladin, a new generation of malware has managed to surreptitiously
place malicious JavaScript code on tens of thousands of popular Web sites.
The hacker scripts try to infect site visitors and then attempt to use their
compromised PCs to spread the infection to yet other sites.
Over the past month, the security services ScanSafe and Sophos have reported
infections on such major Web sites as ColdwellBanker.com, Variety.com, and
Tennis.com. Niels Provos reported in the Google security blog on June 3 that
sites infected with Gumblar numbered about 60,000. Visitors became susceptible
to infection simply by opening the sites in Internet Explorer.
After the script infects a PC, it attempts to spread its code to any Web site
accessible via that machine's FTP client, if one is present. Webmasters often
use FTP to make changes to the sites they manage. If FTP software is configured
to save a webmaster's sign-in information, the malware can edit itself into a
Web site's pages.
Once a PC is running this class of malware, the hacker code tries to trick the
user into opening infected PDF and Flash files. If the PC has an un-patched
version of Adobe Reader, Acrobat, or Flash, opening an infected file can
install a keylogger or other malware. In the case of Gumblar, Google search
results in an Internet Explorer window are rewritten — in a way that end users
may not notice — so the links point to hacker sites laden with infected PDF and
Flash.
Security firms have made efforts to block domains that serve as malware
destinations in this latest round of attacks. But the bad guys quickly move to
substitute other domains in what has been compared to a game of Whack-a-Mole.
Meanwhile, it's not so easy to shut down a well-known, legitimate site that's
infected (although many such sites have quickly been cleaned up). You can't
protect yourself simply by visiting only "trusted" sites, because
there's no easy way for an end user to determine whether a legitimate site is
infected.
Fortunately, you can stack the odds in your favor by following these guidelines:
§
Step 1: Use a hardware firewall.
§
Step 2: Install a set of security software.
§
Step 3: Scan your system regularly with a software-update service.
§
Step 4: Use Mozilla's Firefox or Google's Chrome browser, both of which
are more secure than Internet Explorer.
The rise of a new form of
Web-based threat
On May 27, 2009, the
Microsoft Malware Protection Center blog reported that a malware family
Microsoft refers to as Gamburl and Redir was infecting legitimate Web sites by
embedding malicious scripts in the sites' HTML code. A system running Windows
XP could become infected, simply by opening a seemingly trustworthy site.
Once an XP machine is infected, passwords for FTP sites are retrieved and
placed into a file called sqlsodbc.chm. This file is a legitimate SQL
help file in Windows.