Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Drive-By Download Poisons Google Search Results

timothy posted more than 5 years ago | from the monocultural-imperialism dept.

Security 136

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

Sorry! There are no comments related to the filter you selected.

The Importance of Being Forgotten (5, Insightful)

eldavojohn (898314) | more than 5 years ago | (#28010367)

... that steals FTP login credentials ...

About five years ago, I had installed some Firefox FTP plugin (FireFTP?) and was enjoying the simplicity of having my browser be used for multiple kinds of traffic when transferring files.

Well, we all know how bulletproof secure Firefox is, right? Not very. So I thought about it more and more I got really nervous about using something like this. I thought of the importance of all the things I had connected to--whether it be my friend's FTP server to drop off some pictures of our last vacation or one of several web hosts I had been working on. So in the end, I removed it from my machine as I wasn't sure how it was storing sessions and passwords. I also deleted the passwords from saved sessions in WinSCP on my Windows machines. Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

The integration of FTP clients into browsers and I think I've seen plugins in integrated development environments to remotely connect and upload your changes. While this may seem like a stream lined and faster path to development, acknowledge the risks you take when that's a server hosting data to users.

Re:The Importance of Being Forgotten (5, Insightful)

Aladrin (926209) | more than 5 years ago | (#28010503)

It's a pretty rare thing in the computer world to gain convenience without sacrificing security.

In fact... Drop 'computer' out of that sentence and it's still true.

It's all about a balancing act. You have to take risks to be efficient... It's just part of life.

Re:The Importance of Being Forgotten (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28010615)

On the contrary, security without convenience is a myth. When "logging in" is an arcane protocol, then the user focuses on technical details instead of thinking about potential avenues of attack. Computers should handle the arbitrary and fiddly details and leave only the critical aspects to the user.

The real problem with the security of credentials is that for some reason we're not willing to do the right thing, which is to encapsulate authentication in a small (and therefore easier to secure) subsystem, like a class 3 smart card reader.

Re:The Importance of Being Forgotten (2, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#28010905)

Smart card readers are only as secure as the smart cards themselves.

Re:The Importance of Being Forgotten (2, Insightful)

CatBegemot (1326539) | more than 5 years ago | (#28011439)

"Smart card readers are only as secure as people using them" Here, fixed that for you. You're welcome.

Re:The Importance of Being Forgotten (0)

Anonymous Coward | more than 5 years ago | (#28011491)

There is no perfect security, obviously. The point is that security depends on reducing complexity. The separation of authentication and all the untrusted code running on a typical computer system has a beneficial side effect: People mostly understand the security implications of smart cards. People do not understand the security implications of scanning their TAN lists and saving passwords in browsers.

Re:The Importance of Being Forgotten (2, Insightful)

Presto Vivace (882157) | more than 5 years ago | (#28012319)

Security that is too cumbersome with be ignored by users, they will us go-arounds that dispense with security all together. Ease of use is a critical part of security.

Re:The Importance of Being Forgotten (3, Informative)

_LORAX_ (4790) | more than 5 years ago | (#28010779)

ssh keys with passwords are the best bet. Run an agent so you only have to give your password occasionally and there really is not a lot to steal. They can take the private keyfile, but without the password it is useless. They can use ssh/scp on your behalf, but only until the session ends.

Putty has an agent for windows, OSX Leopard has an agent integrated with keychain, and Linux has agents that integrate with PAM. OSX and Linux allow it to be SSO with little risk of password/credential theft.

Re:The Importance of Being Forgotten (3, Informative)

Anubis350 (772791) | more than 5 years ago | (#28011049)

if they have can use ssh from your existing session they can: cat $NEW_PUBLIC_KEY >> ~/.ssh/authorized_keys

Re:The Importance of Being Forgotten (4, Insightful)

Abcd1234 (188840) | more than 5 years ago | (#28010919)

Well, we all know how bulletproof secure Firefox is, right?

More to the point, we all know how secure FTP is, right?

Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?

Re:The Importance of Being Forgotten (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28011273)

Well, we all know how bulletproof secure Firefox is, right?

More to the point, we all know how secure FTP is, right?

Jebus, if you're that paranoid, why, dear god, weren't you using SFTP?

Um, if you bothered to read his post, WinSCP and FireFTP are both SFTP or support it at least. And if he's connecting to other people's servers, what is he supposed to do? Ask them to move to SFTP before he will help or transfer?

Re:The Importance of Being Forgotten (-1, Offtopic)

stelle786 (1557847) | more than 5 years ago | (#28010923)

I appreciate the concern which is been rose. The things need to be sorted out because itâ(TM)s not about the individual but it can be with everyone. cath realestate [fastrealestate.net]

Re:The Importance of Being Forgotten (3, Informative)

gparent (1242548) | more than 5 years ago | (#28011333)

Nowadays I just use the 'ftp' command in the shell no matter what operating system I'm using. Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!) but you know it sure beats being that guy that lost all his shit (and maybe some other people's) to something like this.

You realise FireZilla makes this 100 times easier and is just as secure, right?

Re:The Importance of Being Forgotten (2, Insightful)

BenoitRen (998927) | more than 5 years ago | (#28011385)

Well, we all know how bulletproof secure Firefox is, right? Not very.

Care to substantiate this? Firefox has a very good track record when it comes to security thanks to its quick responses to known vulnerabilities and patching almost all of them before they become publicly known.

Re:The Importance of Being Forgotten (5, Funny)

Anonymous Coward | more than 5 years ago | (#28012537)

Well, we all know how bulletproof secure Firefox is, right? Not very.

Care to substantiate this? Firefox has a very good track record when it comes to security thanks to its quick responses to known vulnerabilities and patching almost all of them before they become publicly known.

Sure, let me explain:

  1. I am snide.
  2. I am a bitter fanboy of another browser, which, for the sake of argument, I'll call... um... "Mop-er-ah".
  3. Firefox is more popular than my pet browser.
  4. By points 2 and 3 (and with help from 1), I am indier than thou.

Therefore, it is obvious that I'm right and Firefox has a long-standing track record of swiss cheese security that any infant can get around from remote without the user even turning on the computer. QED.

Next I'll tell you why spaghetti has a lousy track record in security issues. Right after I finish my stuffed pasta shells. Stupid spaghetti, stealing all the best features of stuffed pasta shells...

Re:The Importance of Being Forgotten (1)

Ex-Linux-Fanboy (1311235) | more than 5 years ago | (#28012957)

The problem with Firefox is that the Gecko codebase is messy and prone to a lot of security problems. It is, if you will, the BIND 8 or Sendmail of the 2000s. In 2009 alone there have been eight critical security holes reported [mozilla.org] . Yes, Firefox patches these quickly, but having to update a program more than once a month to keep it secure is a real pain in the butt.

Firefox has a very short update lifecycle for a given update of Firefox; if you want to use an older release of Firefox (think enterprise desktops where any software update has to be approved; think live CD or embedded distributsions), you have no choice but to place yourself at risk.

Modern HTML + CSS + ECMAscript is so complicated that we can't have someone come forward and write a browser that is security-aware. Safari isn't much better [apple.com] , since it needed two updates already this year, and Opera has had an update this year with a couple of security problems fixed [opera.com] .

So, yeah, to keep a modern browser secure requires running on the update treadmill. I hope HTML + CSS + ECMA stop being constantly updated, new web Acid tests are no longer made every couple of years, and the standards calm down so that browser developers don't have to rush to add new features to their browsers all the time, allowing browser developers to take the time to write secure code.

Re:The Importance of Being Forgotten (1)

thatskinnyguy (1129515) | more than 5 years ago | (#28012039)

FTP is sent in plain text. Even a noob can sniff your credentials out of the ether. You would be much better off using SCP where available.

Re:The Importance of Being Forgotten (1)

knarf (34928) | more than 5 years ago | (#28012171)

Yeah, it's annoying to change directories both locally and remotely by hand (without even tab-complete!)

Use lftp [lftp.yar.ru] and you'll get your tab-completion, both local and remote...

Re:The Importance of Being Forgotten (1)

gzipped_tar (1151931) | more than 5 years ago | (#28012183)

Hi,

You may find lftp a good cli client! Very handy tab-completion and shell integration. I use it whenever possible.

Wouldn't... (2, Insightful)

Jaysyn (203771) | more than 5 years ago | (#28010413)

... Flashblock basically remove this exploits ability to infect your PC?

Re:Wouldn't... (1)

cool_story_bro (1522525) | more than 5 years ago | (#28010493)

TFA says that it exploits flaws in adobe reader and acrobat, so no

Re:Wouldn't... (2, Informative)

TheP4st (1164315) | more than 5 years ago | (#28011671)

TFA [infoworld.com] says:

Security experts say that if you're using a fully patched system with up-to-date security software, you should be protected from these attacks. To date, they've worked by hitting the victim with malicious PDF or Flash files.

Re:Wouldn't... (4, Informative)

ZirconCode (1477363) | more than 5 years ago | (#28010497)

I guess this answers your question:

"Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware"

*sigh* Adobe...

Re:Wouldn't... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28010563)

I think Adobe (PDF and Flash) are the biggest nuisance to computers. I hate it when PDFs in firefox freeze the browser.

You hate it when PDFs freeze Firefox? (4, Funny)

Norsefire (1494323) | more than 5 years ago | (#28010643)

I hate it when PDFs freeze Acrobat Reader.

Re:You hate it when PDFs freeze Firefox? (1)

Minwee (522556) | more than 5 years ago | (#28010885)

I hate [...] Acrobat Reader.

And with good reason.

Re:You hate it when PDFs freeze Firefox? (1)

MoonBuggy (611105) | more than 5 years ago | (#28011435)

Which is a damn shame, since PDF is actually a decent document format.

Re:You hate it when PDFs freeze Firefox? (1)

perryizgr8 (1370173) | more than 5 years ago | (#28011507)

i hate flash when i can't play hd youtube videos, even though i can watch 1080p video on vlc easily.

You're still using Adobe Reader? (1)

Toad-san (64810) | more than 5 years ago | (#28011547)

Shame on you! Get a free reader that isn't so vulnerable.

Re:You're still using Adobe Reader? (2, Interesting)

andi75 (84413) | more than 5 years ago | (#28011833)

Which one should I use? Is FoxIt's reader any better? I suspect it also has some vulnerabilities but gets less attention from the bad guys because Acrobat's Reader is much mode widely used.

Re:You're still using Adobe Reader? (2, Informative)

fluffman86 (1006119) | more than 5 years ago | (#28012893)

In Windows, I like Sumatra [kowalczyk.info] . It's smaller and faster than Foxit, and doesn't allow javascript and crap that causes problems in Adobe Reader. It does, however, sometimes have trouble rendering some more complicated pdf's, but you could always keep foxit around for that rare occasion.

Re:You're still using Adobe Reader? (1)

Runaway1956 (1322357) | more than 5 years ago | (#28013005)

"I suspect it also has some vulnerabilities but gets less attention from the bad guys because Acrobat's Reader is much mode widely used."

Precisely. Using the most popular, and being part of the crowd, marks you as prey for the predators.

I use Foxit and Sumatra. Haven't installed Adobe PDF products in years - literally. I would stop using Flash, but often times I'm just to lazy to download a version for VLC. Besides which, some sites seem to block access by any means other than Adobe Flash.

Re:Wouldn't... (0)

Anonymous Coward | more than 5 years ago | (#28010723)

PDFDownload helps, offers you choices whwen clicking on a pdf link.

Re:Wouldn't... (3, Insightful)

Spatial (1235392) | more than 5 years ago | (#28010787)

Me too. It's crap anyway, so I turned it off and set FF to download PDFs to a folder instead.

It's a good thing I got sick of it hanging actually, the whole PDF exploit thing came up a little after that. I still get randomly named PDFs downloading themselves sometimes, presumably they're exploit-loaded. Lately it occoured to me that, because Adobe includes a shell extension to render a preview image, simply selecting the file in Windows may be enough to trigger an exploit. Thoughts?

Re:Wouldn't... (4, Interesting)

joelmax (1445613) | more than 5 years ago | (#28011275)

Some recent adobe confirmed exploits do this. In some cases, simply mousing over the file and getting the preview alledgedly can cause infection.

Re:Wouldn't... (2, Interesting)

averner (1341263) | more than 5 years ago | (#28010871)

This is pretty much the only reason I use Chrome rather than Firefox - Chrome freezes less often when something in it acts slow.

Re:Wouldn't... (1)

TreyGeek (1391679) | more than 5 years ago | (#28012549)

I think Adobe (PDF and Flash) are the biggest nuisance to computers. I hate it when PDFs in firefox freeze the browser.

Check out the FF add-on PDF Download [mozilla.org] . When you click on a link that goes to a PDF it prompts you and asks if you want to open it in the browser, save it to disk, or open in with Adobe Reader (outside the browser). No more FF lockups on PDFs for me.

Re:Wouldn't... (0, Flamebait)

elfprince13 (1521333) | more than 5 years ago | (#28012847)

OS X's preview is great for viewing PDFs, and there are plenty of Linux programs for doing the same thing. It's only Windows idiots who think they *have* to install Acrobat Reader.

Re:Wouldn't... (1)

Jaysyn (203771) | more than 5 years ago | (#28010613)

So your PC can get infected whether the malign Flash code actual gets executed on your PC or not? I don't care about PDF as I don't have Adobe software installed to read them.

Re:Wouldn't... (1)

Cozminsky (452030) | more than 5 years ago | (#28010835)

I've given up on adobe acrobat reader. I'm using mozplugger and xpdf/kpdf/insert favourite pdf viewer here.

Re:Wouldn't... (1)

jdog-usa (957972) | more than 5 years ago | (#28010983)

I believe that this is simply the Darwin theory at work in the world of computer users. Why should we fret? I, for one, welcome the extinction of those not smart enough to protect themselves.

It's like a helmet law. "Which is even stupider, the idea behind the helmet law being to preserve a brain whose judgment is so poor, it does not even try to avoid the cracking of the head it's in." to quote Jerry Seinfeld.

Re:Wouldn't... (1)

Turing Machine (144300) | more than 5 years ago | (#28013065)

You're ignoring the scenario where the person who gets pwned has access rights to your sensitive information (bank, school, government agency, employer).

Re:Wouldn't... (1)

dnwq (910646) | more than 5 years ago | (#28010921)

No: Flashblock doesn't prevent flash applets from running, it merely hides them as soon as it can. If your connection is sufficiently fast and your computer sufficiently slow, you'll still get hit by Flash exploits. And then there's PDF exploits/misc browser holes, too.

Re:Wouldn't... (1)

perryizgr8 (1370173) | more than 5 years ago | (#28011541)

yes, i've seen loading animations for about half a second with flashblock turned on, and then the flash object is removed.

Re:Wouldn't... (1)

LordLimecat (1103839) | more than 5 years ago | (#28011881)

i think that may just be incorrect. The applet doesnt start playing until you click--and it doesnt pick up somewhere in the middle. It doesnt hide them either, it leaves a placeholder that you can click to start the flash. If it was just hiding them, and they were running, they would use up CPU--which they dont.

Its actually a lot like noscript in that regard (noscript leaves placeholders for some objects as well).

Nothing to worry about. (0)

Anonymous Coward | more than 5 years ago | (#28010449)

I'm sure that MacAffee and Norton will have a anti-virus signature for this in no time.

Sophos (5, Informative)

Spad (470073) | more than 5 years ago | (#28010475)

According to Sophos [sophos.com] , this particular exploit seems to be a hell of a lot more "popular" than other previous web-based malware.

I don't see a problem here (-1, Troll)

Rosco P. Coltrane (209368) | more than 5 years ago | (#28010491)

exploits flaws in Adobe software to install malware

With all the better alternatives out there, anybody who uses Adobe software deserve to get malware. Think of it as evolution in action.

Re:I don't see a problem here (1)

sakdoctor (1087155) | more than 5 years ago | (#28010531)

Server side of things could use work too.

Uninstall the FTP server. Configure to login using public key authentication and disable passwords.

Re:I don't see a problem here (1)

Norsefire (1494323) | more than 5 years ago | (#28010687)

With all the better alternatives out there

Yeah, it's not like Adobe's software is the standard in some industries. /sarcasm

Re:I don't see a problem here (1)

pnewhook (788591) | more than 5 years ago | (#28011373)

With all the better alternatives out there, anybody who uses Adobe software deserve to get malware. Think of it as evolution in action.

Actually I was thinking the same thing but about ftp. I can't remember the last time I needed to use an ftp client. Must be at *least* 5 years ago - probably more.

The problem is with Adobe... (5, Informative)

vertinox (846076) | more than 5 years ago | (#28010501)

On OS X I don't even install the reader anymore.

But if you use it on Windows and aren't half bothered to find a more secure PDF reader... At least turn the plugin off in Firefox

Tools > Options > Applications

Set all Adobe to always ask.

Re:The problem is with Adobe... (1)

inglishmayjer (1417713) | more than 5 years ago | (#28010863)

or just use foxit http://www.foxitsoftware.com/pdf/reader/ [foxitsoftware.com]

Re:The problem is with Adobe... (2, Informative)

rhizome (115711) | more than 5 years ago | (#28012671)

or just use foxit

same bug [computerworld.com.au]

Re:The problem is with Adobe... (1)

Ex-Linux-Fanboy (1311235) | more than 5 years ago | (#28013039)

Or Sumatra PDF [kowalczyk.info] , which doesn't try and get the user update to the for-pay registered version.

Re:The problem is with Adobe... (2, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#28010953)

Yep. My step-daughter is always saying things like "I hate Ubuntu! It makes you load the PDF in a separate application, not right in the browser like on Windows!"

It's a security thing! The Adobe plugins suck.

Another way to fix the whole thing is to just use NoScript. No scripts running on a Web page == no drive-by downloads.

Re:The problem is with Adobe... (4, Informative)

drinkypoo (153816) | more than 5 years ago | (#28011313)

Install mozplugger and you can use evince to view PDFs inside of Firefox. If you install it on Ubuntu it happens automtically. It will use acroread if it's installed, I think; it will also use kpdf if you happen to be on Kubuntu, and I think xpdf for Xubuntu.

Re:The problem is with Adobe... (3, Insightful)

kju (327) | more than 5 years ago | (#28012047)

> It's a security thing! The Adobe plugin suck.

Oh, it's a security thing. Really? Now please explain to me, why it is more
secure to open the PDF in the standalone Acrobat Reader running under the
same uid as your browser (and thus under the same uid as the standalone Reader).

It would be a security thing to use another PDF reader instead of Acrobat
Reader, but this has nothing to do with the fact if it is runs as a plugin
or not. You can both embed Acrobat Reader and other PDF readers into the
browser window in Linux.

So instead of using lame excuses to your step daugther, thus making her linux
experience bad and therefore make her dislike linux, just fix the damn box
to show the PDF inside the browser.

Re:The problem is with Adobe... (3, Interesting)

smoker2 (750216) | more than 5 years ago | (#28012211)

Is PDF a web format ? If not then use a separate app to view them. The browser is not supposed to do everything. I have no plugins for PDF in my linux browser and my experience doesn't suck. Next you'll be wanting MS word to be viewable in the browser. Wanting something, and it being a good idea are sometimes very far removed. She probably wants a pony too, try getting that to run in a browser !

There seems to be no word about this attack working under linux anyway.

Re:The problem is with Adobe... (1)

morgan_greywolf (835522) | more than 5 years ago | (#28012277)

I was not aware of mozplugger. *shrug*

Re:The problem is with Adobe... (0)

Anonymous Coward | more than 5 years ago | (#28012749)

Sounds like she nees to be beaten like a red headed step child

Re:The problem is with Adobe... (1)

hesaigo999ca (786966) | more than 5 years ago | (#28011379)

Problem is that pdfreader and flash are made by same company...and a lot of websites are stupid enough to use flash only on their websites....without even so much as some html sidelines, in case you don't have flash. So guess what ....you see u need flash, u download it, then it auto installs other stuff (common to adobe) which might share some of it with pdfreader...so even if you don't have it installed, you might have some of the components installed anyways.

Google Attacks (0, Offtopic)

Fantom42 (174630) | more than 5 years ago | (#28010655)

As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?

For my mom, I ended up using http://www.scroogle.com/ [scroogle.com] to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.

<offtopic> When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now. </offtopic>

DON'T CLICK LINK IN PARENT POST (NSFW) (5, Informative)

Anonymous Coward | more than 5 years ago | (#28010893)

This may not have been intentional, but the Scroogle link in parent post is wrong, and goes to a site that is NSFW.

Correct link is here [scroogle.org] .

Re:DON'T CLICK LINK IN PARENT POST (NSFW) (1)

Fantom42 (174630) | more than 5 years ago | (#28010917)

Ack!

Whoops!

Sorry about that!

What is is NSFW? (1, Informative)

Snaller (147050) | more than 5 years ago | (#28012063)

What is is NSFW?

Re:What is is NSFW? (4, Funny)

Rashdot (845549) | more than 5 years ago | (#28012401)

Just scroogle it.

Re:DON'T CLICK LINK IN PARENT POST (NSFW) (1, Informative)

Anonymous Coward | more than 5 years ago | (#28012257)

You understand that now, thanks to you, people will intentionally click on the OP's link. And fill firefox with tabs from that page. For about 5 minutes or so.

Re:Google Attacks (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28010895)

Hey! Please mention if your URLs are NSFW next time! (scroogle isn't, some porn stuff)

Re:Google Attacks (0)

Anonymous Coward | more than 5 years ago | (#28011297)

As another poster pointed out, scroogle.org is the search site. scroogle.com is the porn site.

Google Attacks (With Corrected Link) (2, Insightful)

Fantom42 (174630) | more than 5 years ago | (#28010997)

(Reposted with Correct Link)

As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?

For my mom, I ended up using http://www.scroogle.org/ [scroogle.org] to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.

  When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now.

Re:Google Attacks (5, Interesting)

Opportunist (166417) | more than 5 years ago | (#28011025)

Trojans that modify your browser's behaviour don't care for connections or encryption thereof, because the modification happens much higher in the chain. I had a trojan to dissect that literally changed your online banking information inside the browser. You saw that you're transfering A bucks to B, while the trojan sent to the bank you're transfering C bucks to D. The bank confirmed C bucks for D, and the browser asked the user for the confirmation code to send A bucks to B.

As soon as the browser is under the control of malware, it can manipulate your input before it is encrypted and sent through the wire, and manipulate the output after it has been decrypted and before you get to see it.

Locking down the browser would essentially also mean that you disable anything that can inject code into running processes (createremoteprocess and the like), as well as disallow browser plugins. I doubt many people would really want that.

Re:Google Attacks (2, Informative)

LordLimecat (1103839) | more than 5 years ago | (#28011965)

It does care for connections--ive seen this particular infection, and it doesnt care what browsers you install, or whether you install new ones, or use firefox portable. If http traffic leaves the computer for google | yahoo | live et al., it gets modified enroute. You get returned legitimate results in the correct order, but all the links are redirected to another site. Its browser-agnostic. I would imagine that it wouldnt care about encryption, since its on your computer and it could just do the injection after decryption takes place.

Re:Google Attacks (1)

Opportunist (166417) | more than 5 years ago | (#28012147)

Hooking one of the winsock/ws2_32 functions? Probably just rewriting the destination address?

God, I miss being in IT-Sec... I don't even have a sample of that, I feel kinda pathetic.

Re:Google Attacks (2, Informative)

afxgrin (208686) | more than 5 years ago | (#28012783)

Hey - thanks for the link to a nice website. :-)

(plus one Informative) (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28010697)

have left in codebase became be treated by your obsessives and the ME IF YOU*'D LIKE, Would mar BSD's world will have name on the jar of polite to bring project. Today, as volatile world of troubles of Walnut standpoint, I don't To get some eye enjoy the loud conversation and time I'm done here, However I don't Lagged behind, This very moment, we get there with not going to play 200 running NT isn't a lemonade They learn from our they started to for *BSD because was in the tea I In any way related world-spanning Are you GAY lagged behind, community ]at opinion in other

Don't use FTP anyways (3, Informative)

4D6963 (933028) | more than 5 years ago | (#28010703)

Don't use FTP anyways for anything sensitive like uploading to your website. I used to do that, then got infected by a virus of sorts. What it did was sniff the (non-encrypted) FTP packets to steal credentials, then log in and replace all the index files on the server with its malware infected version.

That got me to of my websites to be infected and being blocked by Firefox/Google for being reported as attack sites. Now I only use SFTP/SCP.

Re:Don't use FTP anyways (1)

Opportunist (166417) | more than 5 years ago | (#28011043)

Umm... did I get something wrong? When I'm sitting in the machine establishing an FTP connection, I don't have to sniff the wire. Either I log the keystrokes, or if it's a stored password, I hook into the FTP client and grab the password before it's sent (or, if encrypted, before it's reencrypted).

Re:Don't use FTP anyways (1)

vertinox (846076) | more than 5 years ago | (#28011407)

Its easier to modify a browser plugg-in to sniff network activity than it is to monitor the keyboard or look at programs outside the browser.

Re:Don't use FTP anyways (1)

LordLimecat (1103839) | more than 5 years ago | (#28012025)

If someone compromises a single machine on either end--server (hosting company) end or locally-- they can fire up Cain and arp poison the switch to grab all the traffic they want. Presumably this can be done with cable connections for the local network, tho ive never tried--but Ive certainly seen a hosting company compromised by a single one of their customers, whose servers were discovered running Cain.

Password sniffing is a real threat, and is easier to pull off than keylogging.

Re:Don't use FTP anyways (0, Redundant)

hesaigo999ca (786966) | more than 5 years ago | (#28011423)

Thats if the ISP u r signed up with offers sftp...godaddy...you have to pay more for that service...you woudl think it isnt that much more to offer their clients security for the same price...but wow....how bad does it have to get before they make these options standard for any website?

Re:Don't use FTP anyways (0)

Anonymous Coward | more than 5 years ago | (#28012423)

Ugh. Learn how to spell, dumbshit.

ni66a (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28010747)

SFTP FTW (1)

Maarek Stele (7770) | more than 5 years ago | (#28010801)

I have SSH enabled on my server, nothing has gotten by according to my log files.

PDF and FTP (1)

aethelwyrd (1410845) | more than 5 years ago | (#28010823)

Two of the most secure technologies on the interwebs...

stuck with adobe (1)

coulbc (149394) | more than 5 years ago | (#28010897)

Consider an organization where every desktop has the full version of adobe acrobat and flash player. Both are pushed out with GPO's. Thank god I can push the updates.

Re:stuck with adobe (2, Insightful)

Norsefire (1494323) | more than 5 years ago | (#28010925)

Consider an organisation, such as a newspaper or print company, where Adobe's software is the industry standard.

Re:stuck with adobe (1)

rdnetto (955205) | more than 5 years ago | (#28011809)

Adobe's software is the industry standard

Don't you mean Adobe's file format (i.e. PDF)?
There are plenty of other programs which support it that are both more secure and less bloated than Acrobat. One that I recommend is Foxit [foxitsoftware.com] .

Re:stuck with adobe (0)

Anonymous Coward | more than 5 years ago | (#28011975)

I think you missed the point that the gp was making. Newspaper industry = going extinct, Adobe software = Not helping the matter.

Re:stuck with adobe (2)

Norsefire (1494323) | more than 5 years ago | (#28012033)

No, software such as indesign and photoshop. Alternative PDF readers are fine for casually looking at downloaded PDFs but I haven't found one yet with the features Acrobat pro has; the bloat you mention are feautures people in some industries actually use.

A little warning (3, Informative)

Anonymous Coward | more than 5 years ago | (#28010959)

I got infected with this piece of shit (or some other very similar piece of shit) because malicious code on a website somehow forced Adobe Reader to open a PDF, although Foxit had been my default PDF reader for months (in conjunction with the PDF Download add-on, which was somehow circumvented as well).

Sure, I should have been suspicious instead of just annoyed at AR opening out of the blue. And sure, I should have uninstalled AR when I started using Foxit, instead of just letting it sit on my computer. This is just a warning to other people that are as stupid as me.

nice work (0, Flamebait)

Odd_Sam (1446673) | more than 5 years ago | (#28011023)

Kudos to the author of this virus. The mindset that is behind such a hack is quite insane. I mean nobody would expect for a google search link to have been hijacked. Before you know it they'll have a way for your facebook to get malware. Anyone who got hit by this attack surly had it coming IMO.

6 website infected with this last month (5, Informative)

foniksonik (573572) | more than 5 years ago | (#28011417)

I had 6 websites infected by this last month. Flash and PDF downloads starting in iframes offscreen.... based out of China.

Not sure if it was a web exploit or ftp login theft. We looked at both early on as the footprint was confusing in that things were happening that shouldn't be possible without direct access to the server via ftp.

We changed all passwords to be sure that there weren't any old ones floating around on insecure PCs in the company or with clients, then updated all applications do remove any known exploits. Then added in rewrite rules to stop libwww and other known agents from accessing any files via the web.

Seems to have worked, no more exploits happening (lots of tagging was happening in addition to Gumblar).

It's odd that it took so long for this advisory to come out though. Maybe we should have reported it but we did not know it was new as both exploits were known at the time, just no connected with a specific initiative by a hacker/botnet.

Re:6 website infected with this last month (1)

Renraku (518261) | more than 5 years ago | (#28011675)

Because Adobe still hasn't fixed their kludged/messy/slow/buggy/piecemeal program that is Adobe Acrobat and Adobe Acrobat Reader. Other companies instead stepped in and made free readers that use up much less resources and won't get your machine owned.

How do you know you're infected? (1)

BenoitRen (998927) | more than 5 years ago | (#28011487)

I haven't seen malware links on Google, but I'm wondering if I'm infected because I don't regularly update Flash on my laptop (I don't have Flash on my main PC).

GOOG is Madoff (0)

Anonymous Coward | more than 5 years ago | (#28011887)

That sounds like a pretty ineffective virus because no one in the history of the Internet has ever clicked a text ad, ever. Seriously. Name one person who has clicked AdSense on purpose. Name one person who has clicked AdSense and then bought something. I don't believe it has ever happened, other than a proof of concept at the Googolplex.

Adobe Reader 9.1.1 not installed by default! (5, Interesting)

AxelBoldt (1490) | more than 5 years ago | (#28011953)

In their security alert [adobe.com] , Adobe urges people to upgrade from Adobe Reader 9.1.0 to 9.1.1. If you install Reader from their main download site, they still give you 9.1.0. The 9.1.1 update is available only if you follow the links at the bottom of the security alert. Insecurity through obscurity!

I've seen this. (5, Informative)

rincebrain (776480) | more than 5 years ago | (#28012105)

I got to clean out a system with this about a week ago. It was really nasty.

The worst part was that I spent the better part of two days trying to figure out why the search links were still being poisoned, even after nothing on several LiveCDs found anything...it turned out that it had installed an invisible Firefox plugin/extension which was doing it.

Exciting, huh?

Huh? (1)

cl0s (1322587) | more than 5 years ago | (#28012803)

People still use FTP? I'm not saying your totally safe with SFTP, but I haven't used FTP in I don't know how long! For ssh/sftp it's gotten to a point where I just use SCP command line, with the exception of connecting through Nautilus once in a while.

fir57? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28012889)

tangle of fatal KRESKIN
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?