Web Site Hijack Morphs, Continues to Grow
In an attempt to stay one step ahead of security companies, the Gumblar web attack has jumped over to using a new domain to pull its malicious software.
Gumblar, so-named because it infected benign Web sites with attack code that attempted to install malware from a "gumblar" domain onto visitor's computers, has switched to using a "martuz" domain instead, according to ScanSafe, which originally reported the attack. Symantec confirmed the switch in its own post.
The attack, which primarily uses stolen FTP logins to spread itself to new sites, continues to spread according to US-CERT, but ScanSafe says its growth appears to be slowing down. If you run your own Web site, the company suggested using a free scanning service that can help identify whether your site has been hijacked by Gumblar or another drive-by-download attack. The useful Unmask Parasites service is still in beta, and will only report Gumblar-hijacked sites as suspicious, according to Gumblar, but it will catch an infected site.
To guard your own PC against the Gumblar attack code, see my earlier post about the exploits used in the assault. Most importantly, make sure you have the latest Adobe, Flash and Windows patches.