JPCERT-AT-2010-0001
JPCERT/CC
2010-01-07 (Initial draft)
2010-01-08 (Updated)
<<< JPCERT/CC Alert 2010-01-07 >>>
Web site compromises and Gumblar attacks continue to increase
https://www.jpcert.or.jp/at/2010/at100001.txt
I. Overview
From late last year, widespread attacks have used stolen FTP accounts
to deface web sites. Affected web sites include embedded obfuscated
Javascript, which attempts to infect visitors to that site with malware
such as Gumblar. The number of systems infected in this way continues
to climb. JPCERT/CC published a bulletin regarding this at the end of
last year; however, over the New Year's holiday, the number of sites
affected has begun to increase anew. For the purposes of advising
affected users and system administrators about how to address this
problem once again, JPCERT/CC is releasing this new bulletin.
Graph: number of web site defacement reports received by JPCERT/CC
https://www.jpcert.or.jp/at/2010/report_malicious_websites.png
The sharp increase in the number of reports received in the 4th
quarter of 2009 can be observed.
If a user visits a defaced web site, unauthorized software may be
downloaded to the user's PC, infecting it with malware.
- Users should re-confirm that their operating system and any other
software running on it have been updated to the latest version.
- System administrators should confirm that any sites they control
do not contain unauthorized embedded content.
II. Countermeasures
[For users]
JPCERT/CC has confirmed attacks are using vulnerabilities in Adobe
Flash Player, Adobe Acrobat, Adobe Reader, Java (JRE) and Microsoft
products. Listed below are instructions for updating these products.
[Adobe Acrobat, Adobe Reader]
From the Acrobat or Reader menu, selecting "Help" -> "Check for
Updates" will allow you to upgrade to the latest version. If
upgrading fails for some reason, please install the latest version
from the following URL:
Adobe.com - Downloads
http://www.adobe.com/downloads/
*** Added : 8 January 2010 ******************************
The malicious use of unpatched Adobe Reader / Acrobat vulnerabilities
has been confirmed. Adobe plans to release patches for affected
products on 13 January 2010. Please consider the following
mitigations while suitable patches are prepared:
* Disable Javascript:
1. Launch Acrobat / Adobe Reader
2. From the menu bar select "Edit" -> "Preferences"
3. From the categories listed, select "Javascript"
4. Clear the checkbox for "Acrobat JavaScript"
5. Click "OK" to confirm these new settings.
** Both Adobe Acrobat and Adobe Reader need this settings change to
be applied.
* If you are using Windows, enable DEP (Data Execution Protection).
** If you are using an older system, you may not be able to enable
DEP.
******************************************************************
[Adobe Flash Player]
Please check the version of your Flash Player at the following URL
Adobe Flash Player:Version Information
http://www.adobe.com/software/flash/about/
If you do not have the latest version of Flash Player, please
download it from the following URL:
Adobe Flash Player installation
http://get.adobe.com/flashplayer/
[Java(JRE)]
Please check your version of Java at the following URL. (If Java is
not installed on your system, this web site may prompt to you to
install it. If you do not wish to install Java, you may safely ignore
this.)
Java version checker:
http://www.java.com/en/download/installed.jsp?detect=jre&try=1
If you do not have the latest version of Java, please download it
from the following URL:
Java downloads for all operating systems:
http://www.java.com/en/download/manual.jsp
** When upgrading Java, other software relying on Java may be
affected. Please consider this while applying the patch.
[Microsoft]
Please check for any software updates at the following URL:
Microsoft Update
https://www.update.microsoft.com/
Furthermore, as it is believed that the attack code on defaced web
sites is being changed on a continual basis, this may indicate that
vectors of attack are also changing. For this reason, always make
sure that your operating system and any software is always up to date.
Also, anti-virus software pattern files should be kept up to date, as
well as ensuring that your anti-virus software's virus detection
feature is enabled.
[For web site administrators]
If your web site has been defaced with malicious code, users visiting
your web site may be exposed to the installation of malicious
software. To prevent this, please consider the following actions.
- Ensure that systems with access to update the web site are
restricted (by IP address or similar).
- Ensure that your web site's public content does not contain
malicious code or that it has otherwise not been defaced.
- Many defaced web sites have malicious scripts inserted into them.
HTML files and external .js (Javascript) files may have "/*GNU
GPL*/ try" or "<script>/*CODE1*/ try" strings embedded in them.
*** Update: 8 January 2010 ***************************************
The following string has also been confirmed in defaced web sites:
"/*LGPL*/ try"
******************************************************************
- Check in your FTP server log files that there are no unusual
source IP addresses or timestamps outside of regular hours logged.
- Check that systems used to update the web site are not infected
with malware. If your web site is updated by a third party, ask
them to check that the systems they used to update the site are not
infected with malware.
III. Reference information
Ministry of Economy, Trade and Industry
New Year's holiday Internet activity bulletin
http://www.meti.go.jp/policy/netsecurity/downloadfiles/nenmatsunenshi.pdf
JPCERT/CC
Large amount of malware infections occurring via web sites
https://www.jpcert.or.jp/at/2009/at090023.txt
JPCERT/CC
Adobe Reader and Acrobat contain unpatched vulnerabilities
https://www.jpcert.or.jp/at/2009/at090027.txt
JPCERT/CC
Winter vacation preparation tips Vol.2
New Year's holiday Internet usage important points
https://www.jpcert.or.jp/pr/2009/pr090008.txt
*** Update: 8 January 2010 ***************************************
JPCERT/CC
Web defacement information sharing request
https://www.jpcert.or.jp/pr/2010/pr100001.txt
******************************************************************
Internet Promotion Agency
Bulletin for web site administrators regarding web site defacements
Bulletin for users: Users being infected while visiting defaced web sites
http://www.ipa.go.jp/security/topics/20091224.html
If you have any further questions or information regarding this alert,
please contact JPCERT/CC.
________
Revision history
07 January 2010: Initial version
08 January 2010: Edited outline, added extra script tag example,
Adobe Acrobat / Reader unpatched vulnerability
mitigation information added
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top