Google Search Results Poisoning Gets Worse Due To Gumblar Attacks

A new epidemic of attacks that inject Google search results with malicious links is getting worse lately.

Computer security experts have found that a search result attack has intensified in recent days and is found on many legitimate web sites, possibly thousands. CERT, the Computer Emergency Response Team, said that the attack targets known flaws in Adobe’s software and uses it to install a malicious program on the victim’s computer.

The malicious program that was found to be downloaded from the malicious sites is known to steal FTP login credentials from victims systems allowing it to use the information to spread. In addition, through this malicious program, Google search results are replaced with links chosen by the attackers to redirect users to malicious sites.

Hundreds of sites were tracked back in March 2009 that was infected and just recently it has been found by ScanSafe, a security vendor, that more than 3000 sites are not infected. The infection was named Gumblar, which was taken from the domain Gumblar.cn which was used to spread the initial infection. Gumblar compromised sites has grown an astonishing 246% from when ScanSafe first started tracking the increase just over a week ago.

What is so special about Gumblar?

The fast growth of Gumblar is somewhat unusual and more than likely due to the creators being able to obscure or their coding of the parasite making it difficult to notice on an infected site. The Gumblar attackers are able to infect legitimate sites through the stolen FTP login credentials. They can simply log into a site and then spread the infection through malicious links placed on certain web pages.

Web attacks similar to Gumblar are nothing new. Due to the widespread web attacks from other attackers and infections, Gumblar has not gained much attention as of yet as it only accounts for a very small percentage of online attacks. Security experts have determined that an computer that is running up-to-date software and has some form of security software, should be protected from this attack.

Do you have an up-to-date anti-spyware or anti-virus program currently installed and running on your system?