US-CERT: "Malware Exploit Circulating"

« Are Viruses Getting Worse? | Main | Nearly Two Months In: What's the Latest with Conficker? »


US-CERT: "Malware Exploit Circulating"

Kevin R. Smith

One of the places we keep an eye on here is, the United States Computer Emergency Readiness Team. Their crack team of computer commandos (read: geeks) keep a watchful eye on all things relating to computer security that might have effects at the national/international level.

We like their view of things because it tends to have a "Just the facts, ma'am," approach to security news. Rather than being a bunch of FUD spreading that sometimes tends to come from security software vendors.

One of the things we took note of was their posting yesterday about what's being called, Gumblar malware.

Typically we avoid long quotes because there's seldom that much worth quoting, but this one is worth citing in whole, so quoting their posting,

"US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar.

The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them.

Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.

The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware.

This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits.

Additionally, this malware may also redirect Google search results for the infected user.

US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."

There are several noteworthy things in this posting that we felt warranted clarification to our newer readers:

Security Problem 1: Drive-by-download exploit


Security Meaning:

These are viruses and other malware that can infect your computer just by visiting certain websites.


Web browsers, despite their user-friendliness (in fact because of it), have software bugs in them. These bugs are often very, very hard to detect for the programmers when they're creating the web browser software, but they're still there.

Crackers then begin attempting to trick the web browser into doing things it wasn't designed for--like installing software on your computer without your permission-- or even your knowledge.

Sometimes these bugs involve two components, perhaps a web browser like Internet Explorer and a .pdf reader like Adobe Acrobat.

Security Solution:

Make sure you run updated antivirus software.

Modern antivirus software can often stop these malware exploits in their tracks.

Thus, by running antivirus software you're doing a lot to mitigate risks from this type of malware delivered via your web browser.

Security Problem 2: Stolen FTP credentials


Security Meaning:

FTP is one of the most popular mechanisms used by web designers for transferring file to-and-from their web sites. FTP is fairly ubiquitous in the web design world; it's also completely insecure. Here's why:

FTP sends the web master's username and password, needed for them to make changes to their site, in "cleartext."

This means anyone on the same network segment or unsecured wireless connection as the web designer can actually silently intercept their usernames and passwords every time they make changes to their site.

If you can get a webmaster's FTP username and password, all bets are off.

This means crackers can then make changes of their own to the unsuspecting web master's website, including uploading files to do harm to your computer, just for visiting the website.

Chances are the webmaster of the site means you no harm and chances are they don't even know their site has been broken into, but that's exactly the point: get good sites to do bad for them without the webmaster's knowledge.

Security Solution:

If you're a webmaster, consider switching to SFTP, Secure File Transfer Protocol. SFTP's most popular variant is a part of OpenSSH, and it's totally, completely 100% free.

Nearly all Unix, BSD, Linux machines have support for SFTP. Windows web servers can run SFTP, too, under Cygwin.

Whatever your particular case, if you're renting a server from a web hosting, you'll want to check with them to see what options are available. Whatever the case, chances are, it's inexpensive and well worth the cost to minimize the risk of someone breaking into your website.

As all of us web site users, it's impractical to recommend something absurd like, "avoid unknown websites."

That's half the point of the Internet to begin with!

The real solution is to run antivirus software and make sure it's properly configured to provide "realtime" protection and protection at the web browser level.

Security Problem 3: updates for known PDF and Flash Player vulnerabilities


Security Meaning:

Like web browsers, PDF viewers like Acrobat and Flash players, have bugs, too.

These programs, in part because they're integral parts of web browsers today, can become part of the process that crackers use to get their viruses and malware onto your machine.

We've all been told about a million times is, "Don't open unknown attachments!"

Ok, got it. But these aren't even attachments... they're malicious viruses and the like that attack your computer whenever it visits a web page that has a .pdf of flash video, so now what?

Security Solution:

There are two important parts to this solution:

  1. Keeping your system and your software up-to-date.

  2. Typically, software from companies other than Microsoft needs to be updated outside of the "Windows Update" mechanism.

    This means going into applications like Adobe Acrobat and manually updating each piece of software in addition to using the software's autoupdate mechanisms, too.

    Autoupdate is great; however, we caution against becoming too dependent upon autoupdating software since there may be unknown reliability issues or other problems with these tools.

    It's important to know and understand what's going on with your computer.

  3. Antivirus software.
  4. Install it. Run it. Update it. Make sure it's properly configured.

Security Problem 4: redirect Google search results


Security Meaning:

For a lot of people Google practically is the Internet. Unfortunately, because of the trust put in Google, whatever shows up in their search results is often taken for gospel.

What this particular exploit is doing is swapping out the real Google results with phony ones. Why?

Most commonly this is because the crackers want you to visit sites they own or other site they make money from for sending traffic to.

Sometimes these sites they're sending traffic to have no idea they're getting traffic from malware that's been installed on their computer.

Security Solution:

Once again, the real solution is... that's right, you guessed it: antivirus software.

What we also took note of in the article was that US-CERT says, "US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks."


Sure sounds like they're beating the same drum we do.


TrackBack URL for this entry:

Listed below are links to weblogs that reference US-CERT: "Malware Exploit Circulating" :


You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.