Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Websense Security Labs ThreatSeeker Network has detected a consistent decrease of sites infected with the malicious code over the past five days. It claimed that the decrease in infections is highly suspicious, and it believes that the infected hosts are still under the control of the attackers. Websense said that it suspected that those behind the infections might be automatically removing the injected scripts, getting ready to launch a new injection campaign soon. Meanwhile, Trend Micro claimed that analysis of the recent Gumblar attack that compromised thousands of legitimate websites was done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. It had been rumoured by ScanSafe, who originally reported on the attack, that this was the case, but it was not confirmed. Technical communications spokesperson JM Hipolito claimed that an infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes usernames and passwords.Via this, Trend Micro claimed that Gumblar was able to compromise more sites than when it initially launched the attack. Hipolito said: “Also, as opposed to SQL injections, inserting malicious scripts by actually accessing web server files are relatively harder to detect. Web administrators, most likely learning from last year's string of mass compromises, are already keen on watching the typical areas in websites where malicious scripts are possibly injected. “However, unauthorised access by cybercriminals would enable them to place the malicious scripts where they won't be noticed, and in as many areas of the website as they want. This may explain the occurrence of malicious scripts in multiple pages of websites compromised by Gumblar.”
Websense Security Labs ThreatSeeker Network has detected a consistent decrease of sites infected with the malicious code over the past five days. It claimed that the decrease in infections is highly suspicious, and it believes that the infected hosts are still under the control of the attackers.
Websense said that it suspected that those behind the infections might be automatically removing the injected scripts, getting ready to launch a new injection campaign soon.
Meanwhile, Trend Micro claimed that analysis of the recent Gumblar attack that compromised thousands of legitimate websites was done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. It had been rumoured by ScanSafe, who originally reported on the attack, that this was the case, but it was not confirmed.
Technical communications spokesperson JM Hipolito claimed that an infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system.
The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes usernames and passwords.Via this, Trend Micro claimed that Gumblar was able to compromise more sites than when it initially launched the attack.
Hipolito said: “Also, as opposed to SQL injections, inserting malicious scripts by actually accessing web server files are relatively harder to detect. Web administrators, most likely learning from last year's string of mass compromises, are already keen on watching the typical areas in websites where malicious scripts are possibly injected.
“However, unauthorised access by cybercriminals would enable them to place the malicious scripts where they won't be noticed, and in as many areas of the website as they want. This may explain the occurrence of malicious scripts in multiple pages of websites compromised by Gumblar.”
See original article on scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.