Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
In the latest wave of Gumblar attacks, the backdoor script being used to infect legitimate websites has been causing some WordPress blogs and other PHP-based sites to crash, security researchers have warned.“On various forums, you can find posts where webmasters report similar problems with their WordPress blogs,” independent security researcher Denis Sinegubko wrote on his Unmask Parasites blog last week. “Their sites are broken and all they can see is error messages.”Researchers said the messages are being generated because of a bug in the Gumblar malicious code that has been injected in these sites. "[The error messages] should serve as a clear warning to site owners that their site has been compromised," Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com.She recommended website administrators properly secure their sites before bringing them back online.The buggy code comes with one benefit: it is preventing some compromised sites from serving the malicious content and infecting visitors, Sinegubko said."[But] in thousands of other cases, the error doesn't occur and those backdoored sites continue to act as malware hosts,” Landesman said. So-called Gumblar attacks first caused a stir in May after it was discovered that thousands of legitimate sites had been injected with malicious code that causes visitors to be infected with a family of trojans. The attack was named Gumblar after the domain, Gumblar.cn, which initially hosted the malware.Landesman said she is unsure how many Gumblar-infected sites currently exist, though they may number in the hundreds of thousands.If a user's PC becomes infected, the malware causes the browser to redirect Google search results. It also steals FTP credentials used by webmasters, Landesman said. Once the attacker has those credentials, the victim site is infected with a backdoor that enables attackers to get back in whenever they want -- even if a website administrator resets the FTP credentials.By now, those behind Gumblar have essentially built up a botnet of infected sites, which makes the malware campaign more difficult to disrupt, Landesman said.“This is the first time we have seen malware creating a botnet out of compromised websites themselves,” she said.In the latest wave of Gumblar attacks that began this October, attackers began utilising this botnet, Landesman said. Instead of having just a few attacker-owned, malware-hosting domains for all infected sites to point to, as is typically the case with web malware outbreaks, attackers have tapped into their botnet, allowing them to host thousands of sites. In addition, other compromised sites have been injected with IFRAMEs that point to those hosts. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.