There is a new threat that is filling Google search results with links to malicious links. CERT warns this threat is spreading quickly, especially over the last few days. According to CERT there are thousands of legitimate sites infected with this threat now called Gumblar attack.

The attack will steal FTP accounts on the victims machine to further spread its reach. It also will take control of the victims browser which is how it replaces Google search results. ScanSafe has reported out of the 3,000 known infected sites, 800 of those are within the last week.

As of right now, the Gumblar attack is considered relatively small scale. With access to victims FTP account information and strong obfuscation, it is expected the growth will continue. Typically the amount of sites infected with a known threat declines, this isn’t the case with the Gumblar attack.

The Gumblar attack uses known flaws in Adobe software products (that typically do not get patched quickly) to install the malicious software.

Tags: Adobe, CyberCrime, Gumblar, hack, In the wild, malicious software, Malware, US-CERT, web attack

Author: Christopher

Three publicly available DNS exploits are available that exploit the recent DNS vulnerabilities brought to light by Dan Kaminsky.  These exploits have been downloaded over 15,000 times, although we have no idea how many of these downloads are being used maliciously.

Multiple major ISP still have not patched and remain vulnerable.   Even if your organization patches for this vulnerability, you business may still be at risk if your upstream provider has not.  If you have not checked your exposure from your organization and your service provide, I highly suggest you doing this now.

Tags: DNS Cache Poisoning, Exploits, In the wild, Vulnerablities

Author: Christopher

HP Australia has warned that optional USB keys shipped with some of its Proliant servers are infected with malware, bringing attention to the growing use of USB drives as a means to distribute viral infections.

The low risk worms, Fakerecy and SillyFDC, were found in a batch of 256MB and 1GB USB keys that shipped with the servers. It is undetermined how many infected keys, used for installing optional floppy-disc drives to servers, were distributed. An infected machine in the manufacturing factory is the likely cause of the incident.

The malware distributed is not considered an enormous threat, due in part to the low number of estimated users still utilizing floppy disk drives for data storage and that most hackers don’t find the virus valuable.

This is not the first incident of infection to come out of the factory; others have involved digital photo frames and similar products. Anti-virus software, if up to date, should detect both of the viruses involved in the Proliant USB attack as long the computer security software was installed after the floppy disk was added. Disabling autorun thwarts both Fakerecy and SillyFDC and may be the better option.

HP’s advisory, via local security clearing house AUSCert, can be found here. The SANS Institutes’s Internet Storm Centre has advice on avoiding USB malware-related peril here.

Tags: HP, In the wild, infected, Information Security, Malware, USB, worm

Author: Christopher