Security firms and the U.S. Computer Emergency Readiness Team (US-CERT) warned this week of a series of attacks that has compromised Web sites and then used the infected sites to spread malware.
The malware behind the attacks — known variously as Grumblar, Martuz and JSRedir — involves at least two pieces of malicious software in a multi-stage attack: The first is placed on Web sites compromised through, what security analysts believe, are stolen FTP credentials, and the second redirects victims who visit the compromised site to a different malicious Web site that infects their computers. Once an end user's system is infected, the malicious software steals any FTP credentials, installs fake security software, and redirects some Google searches to potentially malicious sites.
The attacks, first detected in March, spiked earlier this month, surpassing 40 percent of all Web-based attacks, according to security firm Sophos. While Web sites compromised by the attacks doubled every day last week, this week, the malicious scripts appear to be spreading more slowly, according to Web security firm ScanSafe.
"The good news is that the attackers may just be finding it hard to do business," Mary Landesman, senior security researcher with ScanSafe, said on the company's blog. "While detection from signature vendors and Web crawlers still remains quite low and the number of compromises increases as a result, the attention focused on the attacks via the media and security community at large is helping to get the malware domains shutdown rather quickly."
While the attack uses domain names based in China, the actual IP addresses lead back to Russia, researchers stated.
According to security analyst Andrew Martin, Grumblar steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos