Viral Web Infections using Malware? Gumblar is, Unfortunately, Just Another Day on the Web

Symantec Security Response has been monitoring a recent spate of Web-based attacks and drive-by downloads from compromised websites that are infecting end-users’ computers. This latest round of attacks has a payload that maliciously alters Web search engine results on the compromised machines. There have also been some recent blog posts and articles written about compromised websites rendering drive-by downloads, including malware, with obfuscated attacks coming from a malicious Gumblar domain in China. Yes, we have seen a short-term increase in attacks, but the reality is, this is unfortunately just another day on the Web and it reflects what we have seen in our Web Based Attacks: February 2009 whitepaper. For instance, Symantec documented attacks from more than 800,000 unique domains last year.

We have been proactively blocking these latest attacks with our network IPS in Symantec Endpoint Protection and Norton products. Because this particular attack is rendered in a Web browser in an attempt to exploit an underlying vulnerability, our IPS and Symantec Browser Protection is able to stop the attacks, regardless of how the attacks are obfuscated. Norton Community Watch (bolstered by our Norton customers) has reported the proactive blocking and protection of more than 33,000 users from attacks from the malicious 94.x.x.x domain, and more than 10,000 attacks from the malicious Gumblar domain. We have subsequently blocked attacks and prevented the download of malware from other domains associated with the attacks, such as autobestwestern, bestfindaloan, and the 213.x.x.x range. By comparison, we prevented more than 18 million attacks in 2008. More malicious domains and URLs may pop up later as more sites are compromised, but our protective IPS protection doesn’t rely on traditional signatures-based methods—instead focusing on the underlying vulnerability—so Symantec will continue to protect customers without the immediate need for updates.

Some have noted that the exploit code is different on every website, making it difficult to identify compromised sites. This is a continuing trend we have noted and we reported on these types of attacks in our whitepaper. Today it is a drive-by download coming from Gumblar; tomorrow it will be another malicious domain. This is another example of why Symantec believes customers need protection beyond traditional signature-based antivirus and should utilize additional protection such as client-based network IPS and browser protection capability.

As people surf to these websites that have been compromised, the obfuscated JavaScript is set up to exploit multimedia, reader, browser, and third-party software vulnerabilities—in particular targeting Internet Explorer users and the Google search engine. So, what can users do to protect themselves? First of all, please read the Web-Based Attacks paper for a list of recommendations. In the meantime, make sure you are using Symantec Endpoint Protection with IPS turned on (or the latest Norton consumer product), keep your applications and application plug-ins updated, and make sure you have the latest antivirus definitions installed.