Gumblar Up Another 7%; Martuz.cn is Down
The number of unique compromised Gumblar domains increased another 7% overnight, but the good news is that the attackers may just be finding it hard to do business. While detection from signature vendors and Web crawlers still remains quite low and the number of compromises increases as a result, the attention focused on the attacks via the media and security community at large is helping to get the malware domains shutdown rather quickly. Martuz.cn has been down all day but mal-scripts on the compromised sites we've been monitoring have not yet been changed.
Hopefully this is indication that - despite the level of control the attackers appear to have over the compromised sites - keeping the attacks going is getting to be more trouble than they are worth. Or, it could simply be that the attackers have decided to take a short break in the hopes that attention will cool off, after which they will begin the attacks anew.
It's anyone's guess at this point. All we can do is wait, monitor, and see what happens. We'll keep you posted.
Mary Landesman
Reader Comments (1)
Thus far nobody has provided concrete proof that the compromise is happening at the web site level. Where are the altered HTML lines? Where are the mismatched checksums?
Where is even a single anti-malware signature that can point to a specific file and say "this is the file, and here's why"?
The fact is, nobody has held up such evidence. It would be helpful, and a great deal less defamatory to small web site owners, if people did not spread information about the attacks when they don't even know exactly how they work.
Google Safe Browsing continues to insist that some sites are still "compromised", but again, they refuse to provide concrete evidence. Sure, I can make a web site that says my crawler visited Google and found 23 trojans, 10 exploits, and blah, blah, blah. The problem? No shred of proof. Google, and several security-oriented sites (*ahem*) are using the "because we said so" angle.
It is clear that even US-CERT is relying on the pronouncement of such sites, apparently also in the absence of accompanying evidence.
No worries if you won't publish this reply; I will gladly publish it elsewhere. Our business has trickled down to nothing in the past week, thanks to the persistent allegations. Still, Norton Safe Web shows our site as CLEAN, all our scanners show it as clean, our hosting service comes up empty-handed, and we've gone over our HTML with a fine-toothed comb.
I am inclined to trust Norton Safe Web's results more than I'm inclined to trust a raft of unsourced anecdotes and unproven accusations.