gumblar


FTP Flaw Could Disable Wide Range of Servers

FTP Flaw Could Disable Wide Range of ServersAn easily exploitable flaw exists that could enable an anonymous hacker to cause a denial of service on many common FTP server platforms , including some public FTP servers run by software giants Adobe and HP, according to a report published by SecurityReason.. The vulnerability affects a wide range of FTP servers, including those by  OpenBSD (V 4.7), NetBSD (V 5.0.2), FreeBSD (V 7.3/8.1), Oracle’s Sun Solaris 10 and GNU Libc, used by some leading software vendors.The vulnerabilityexists in the glob() function, which is used to enable wildcard searches by file names. When exploited the hole can cause servers to become slow, unresponsive and even crash. Acccording to the report (http://securityreason.com/securityalert/7822) from Maksymilian Arciemowicz, a security researcher with SecurityReason, the error boils down to a problem with GLOB_LIMIT, a component created in 2001 to help reduce memory used by glob(). The faulty GLOB_LIMIT clogs up memory with errant patterns that leads to the attack.Arciemowicz said well trafficked sites such as ftp.openbsd.org, ftp.netbsd.org, ftp.freebsd.org, ftp.adobe.com, ftp.hp.com and ftp.sun.com are all vulnerable to denial of service attacks using the glob() function. Those sites often allow anonymous logins, making attacks even easier.Unlike previous FTP attacks like Gumblar, which remotely steals credentials, the GLOB flaw does not allow remote code to be executed on the affected system and does not appear to be widespread. A patch has yet to be issuedThe H Security has more details about the flaw.An easily exploitable flaw exists that could enable an anonymous attacker to cause a denial of service on many common FTP server platforms, according to a report published by SecurityReason.

Hack Puts Spotlight on Malware’s Long Tail: Parked Domains

They’re the dusty corners of the Web: so-called “parked” domains. But these little trafficked sites are attracting the attention of security experts, who say that it’s time for hosting firms and others that profit from them to clean up malware infections that may be exposing millions of Web users to attacks.


In the first few months of 2009, security researchers began seeing signs of a new piece of malware that was somewhat baffling to them. It didn’t act like other Trojans or rootkits and try to bury itself on an infected machine and try to do nasty stuff like deleting registry keys or copying the contents of the hard drive. Instead, this malware, which came to be called Gumblar, was about the business of stealing Web site credentials and compromising as many legitimate sites as possible, creating something entirely new: a botnet of infected Web servers that has highlighted the horrific state of Web application security and become the new model for Web-based malware.

LIMASSOL, CYPRUS–The operators of large-scale botnets such as Gumblar and others for years have relied upon stealth, creativity and guile to hide their creations from researchers and authorities for as long as possible. This has been especially vital for botnets with centralized command-and-control mechanisms. But the recent success of sophisticated, resilient peer-to-peer botnets has shown that level of effort isn’t necessary anymore.

The criminals behind the Gumblar botnet and malware campaign have been adapting their techniques, as attackers are wont to do, in order not only to evade detection but to prevent researchers from downloading and analyzing new versions of the malware.

By Vitaly KamlukWe’ve been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.

Gumblar, the nasty bit of malware that was part of a mass SQL injection on legitimate Web sites this spring, is continuing to spread and its creators have been busy lately, compromising hundreds of new sites, leading to a massive new wave of infections of end-user PCs.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.