There is a new threat that is filling Google search results with links to malicious links. CERT warns this threat is spreading quickly, especially over the last few days. According to CERT there are thousands of legitimate sites infected with this threat now called Gumblar attack.

The attack will steal FTP accounts on the victims machine to further spread its reach. It also will take control of the victims browser which is how it replaces Google search results. ScanSafe has reported out of the 3,000 known infected sites, 800 of those are within the last week.

As of right now, the Gumblar attack is considered relatively small scale. With access to victims FTP account information and strong obfuscation, it is expected the growth will continue. Typically the amount of sites infected with a known threat declines, this isn’t the case with the Gumblar attack.

The Gumblar attack uses known flaws in Adobe software products (that typically do not get patched quickly) to install the malicious software.

Tags: Adobe, CyberCrime, Gumblar, hack, In the wild, malicious software, Malware, US-CERT, web attack

Author: Christopher

Tomorrow at 12pm EST Joanna Rutkowska and Loic Duflot are publishing a paper and actual exploit code that works against Intel cache mechanisms.  These attacks will allow privileged escalation in SMM (System Management Mode) space and capable of deploying a rootkit that can take complete control of the machine.   SMM space is out of reach of operating systems and this attack cannot be detected or protected with any current form of software anti-virus protection.  SMM space is available on all Intel CPUs from as far back as the Intel 386.

This exploit has been reported to Intel on numerous occasions over the last few years.  Loic reported it 3-4 months prior back in October and Intel’s own employees had made mentioned of it in documents as far back as 2005.  So far to date, Intel has not provided any resolution to this vulnerability and is this is the main reason behind Joanna and Loic going the full disclosure route.  Joanne mentions on her blog “If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later.”

Intel did alert CERT back in October when Loic reported his findings, this was tracked under Issue VU#127284.

You will find full details published at Joanna’s website Invisible Things Kernel Security Blog

Currently, there is no defense to this threat outside of using AMD or Virtualization, or is there Intel?

Tags: AMD, Black Hat, Exploit, hack, Hardware, Intel, Rootkit, SMM, Virtualization

Author: Christopher

Almost 300,000 web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs. By injecting SQL code in all pages hosted on the same IIS server, this vulnerability allows hackers to inject SQL code and redirect the visitor to a malicious site. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.

If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. To check if your site is compromised, search your source code for the following IFRAME reference: “<script src=http://www.nihaorr1.com/1.js>”. If this IFRAME reference is found, remove them immediately and notify your IIS admin right away.

Tags: hack, hackers, IIS, Information Security, Malware, Vulnerability, website defacement

Author: Christopher