Analysts of the recent Gumblar attack that compromised thousands of legitimate websites stated that the unauthorized modifications in the websites were possibly executed not only through SQL injection. The compromise was also reportedly done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack.
The infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes user names and passwords. Analysts believe that through TSPY_KATES.G Gumblar was able to compromise more sites than when it initially launched the attack.
SQL injections only work on certain conditions (if the website is vulnerable enough to allow such injections), and give cybercriminals a limited access to the targeted webpage. Obtaining FTP credentials however grant the cybercriminals the same level of access as what the website administrator has, regardless of any security measures used.
Also, as opposed to SQL injections, inserting malicious scripts by actually accessing web server files are relatively harder to detect. Web administrators, most likely learning from last year’s string of mass compromises, are already keen on watching the typical areas in websites where malicious scripts are possibly injected. However, unauthorized access by a cybercriminals would enable them to place the malicious scripts where they won’t be noticed, and in as many areas of the website as they want. This may explain the occurrence of malicious scripts in multiple pages of websites compromised by Gumblar.
Creating a website is indeed a big task but, considering the present threat landscape, monitoring it and keeping it secure from attacks is a bigger one.
Website administrators have the responsibility to keep their systems malware free, secure web server files from unauthorized access, and keep their website clean of malicious codes, for their own sake and most especially, their visitors’.