Gumblar: New Generation of Self-Building Botnets

By Vitaly KamlukWe’ve been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.

Microsoft Threatens Discoverer of ‘Cash Back’ Loophole in Bing

The security glitch, which is linked to a “cash back” system
operated by Bing, potentially leaves users and retailers exposed to
fake transactions. But despite an outcry online over the existence of
the loophole, the world’s largest company has responded to the issue by
threatening legal action against the man who discovered the problem. First launched last year, before Microsoft rebranded
its search website, the affiliate scheme offers users the chance to
earn money back for every product they buy through the service. Read the full article. []

Rapid Exploit of Windows Kernel Flaw Expected

Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched Tuesday to build attack code that infects Internet Explorer users, security researchers agreed today. The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. Read the full article. [Computerworld]

A well known commercial provider of spyware applications for numerous mobile platforms, has recently ported its Mobile Spy app to the Android mobile OS. Just like previous releases of the application, the Android version
keeps a detailed log of GPS locations, calls, visited URLs, and
incoming/outgoing SMS messages, available at the disposal of the
attacker who installed it manually by obtaining physical access to the
targeted device. Read the full article. [ZDNet]

high-profile online advertising Web site has been hacked and rigged to
serve multiple exploits to Microsoft Windows users surfing the net with
unpatched third party desktop software.
According to a warning issued by Websense Security Labs, the malicious code was found on,
which is described as a high-profile advertiser on the Internet realm. 
The site has been firing an assortment of exploits for several months,
including exploits for vulnerabilities in Microsoft DirectShow and
Adobe PDF Reader.  Read the full advisory []

Almost 80% of more than 3,000 software security flaws publicly reported
so far this year have been in Web technologies such as Web servers,
applications, plugins and Web browsers.
That number is about 10% higher than the number of flaws reported in
the same period last year — and nine out of 10 of the flaws were found
in commercial code. Read the full article. [Computerworld]

The attackers behind the insidious Koobface worm have taken to using Google Reader accounts that they control to spread the worm through shared Reader items. The infection method–which has been used before by Facebook worms–is another indication of the resilience and changing tactics the malware authors are employing.

Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it. The COFEE application lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people’s computers.

Guest editorial by Gunter OllmannBotnets come in all shapes and sizes and if you can’t find one that fits your unique purposes off-the-rack, it’s trivial to create a custom one using a do-it-yourself construction kit – which helps to explain the diversity we’re seeing within the enterprise. In general though, enterprise-targeted botnets tend to be a different breed – make use of enterprise-specific functionality (e.g. being proxy aware and exploiting vulnerabilities over the network that would be blocked by perimeter firewalls) – and their objectives tend to be more “refined” and clearly criminal.

The security industry lacks a uniform way to title botnets, and the
result is sometimes a long list of names for the same botnet that are
used by different antivirus vendors and that can be confusing to
customers. As it stands now, the infamous Conficker is also known as Downup, Downadup and Kido. The Srizbi botnet is also called Cbeplay and Exchanger. Kracken is also the botnet Bobax.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.