Welcome Guest. | Log In | Register | Membership Benefits
Dark Reading's in-search-of-malware Weblog

Topics:   In Search of Malware

Mass-Meshing A Gumblar Creation

Who doesn't love a new buzzword? 'Mass-meshing' is a new term that describes an old problem first presented by the Gumblar attacks in 2009

Jun 30, 2011 | 04:52 PM | 

By Mary Landesman

Recent media reports point to a supposed new type of attack that has been dubbed "mass-meshing" by the folks over at Amortize.

The Amortize report states, “We want to report a new type of mass-scale drive-by download attack that we'll dub "Mass Meshing Injection."" The report then goes on to explain what it is and how it differs from a SQL injection attack. The crux of their concern is that in this “new type” of attack, “Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prune to false alerts.”

But that was exactly the case two years ago with Gumblar. From our ScanSafe blog post then:

“In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site. But in this case, the malware resides on thousands of legitimate (but compromised) websites.”

Of course, all those Gumblar-backdoored websites proved fertile grounds for other attackers to abuse, and in October 2009 we saw Zeus adapting this same method:

“Interestingly, compromised pages are also being injected with external source references to the malware contained on other compromised sites. Those who followed last week's report of the newest Gumblar technique will recall that unlike traditional compromises which simply inject pointers to malware hosted on an attacker-owned domain, in these attacks the compromised domain is also acting as host for the malware itself."

At the time, we also noted that:

"This method of attack complicates remediation via technologies that rely on blacklisting because the number of compromised websites (now acting as malware hosts) is in the thousands.”

And we also reported the same method being used in a random malvertising attack in 2010:

“ScanSafe STAT has been investigating an ongoing series of attacks which has been a hotbed for zero day exploits over the first quarter of 2010. The attackers are using three layers of legitimate sites. Two layers are compromised websites used to host malicious content that is then subsequently pushed to a third layer of legitimate websites via syndicated ads.”

The above references aren't to minimize the severity of mass-meshing style attacks, but rather just to point out that the mass-meshing technique isn't new.

Indeed, today it is pretty common to see interwoven attacks in which the compromised sites work in concert to interchangeably serve as conduit, redirector, and/or the actual malware host.

And while it does pose some additional challenges, overall security vendors seem to be coping fairly well with it. (Though obviously anyone relying purely on blacklisting would have a problem, but most use more layered defenses).

I have to say though that while the attack method isn't new, mass-meshing is a pretty cool, new buzzword to describe it.

Mary Landesman is an antivirus professional and senior security researcher for ScanSafe, now part of Cisco. In 2009 she was awarded a Microsoft MVP for her work in consumer security.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Related Content

 Sponsored by:
sponsor logo
ScanSafe WIRe: Web Intelligence Reporting
Around the globe, organization face common demands; improve performance, streamline processes and increase productivity, and all while maintaining or lowering IT budgets. Given these contrasting goals, businesses are looking for improved ways to understand and optimize their systems and policies to achieve benefits without incurring additional expenses.


Cisco 2010 Midyear Security Report
The Cisco 2010 Midyear Security Report examines the "tectonic forces of change" reshaping the enterprise security landscape and demanding that businesses rethink their defense strategy.


Cisco 2Q10 Global Threat Report
Cisco 2Q10 Global Threat Report Get country, enterprise, and vertical views of the latest web and network attack patterns with data from global Cisco security deployments.


The Vertical Risk: Web Delivered Malware Impact by Industry
This ScanSafe STAT Vertical Risk Assessment presents the results of that analysis, detailing the vertical rates of exposure to Web-delivered malware as well as providing an analysis of the types and severity of the malware encountered.


Web 2.0wned: A History of Malware on the Web
While the Web has provided opportunity for a wide range of legitimate purposes, some of the earliest adopters of Web technologies have been those with criminal intent. As the Web enters its 20th year, changes will be required to prevent its continued criminal abuse. Until those changes occur, those who surf the web for business and pleasure need to protect themselves.


Twitter Facebook








  1. Cookies, Social Media And FireSheep
  2. SMB Guide To Credit Card Regulations, Part 2: The Low-Hanging Fruit
  3. HP And The Scary Corporate Fifth Column Concept
  4. Taking USB Attacks To The Next Level
  5. NoSQL: Not Much, Anyway
  1. Taking Cybersecurity Lessons To The Bank
  2. Researchers See Real-Time Phishing Jump
  3. 'BlackSheep' Sniffs Out Firesheep WiFi-Hacking
  4. Slideshow: Ten Free Security Monitoring Tools
  5. A Different Spin On Sleuthing Stuxnet
  6. M&A Activity Muddles Database Security
  1. Secure Managed Web Hosting Saves 960.gs from Malicious Hackers
  2. Access Governance as a Business Service: An Integrated Strategy for Automation with ITSM
  3. Business Driven Access Management and Governance: Simplifying the Delivery and Governance of Access Throughout
 
 


 
  Ars Technica
Boing Boing
Channel 9 Forums
CRN Blogs
Dr.Dobb's Portal: Blogs
Engadget
Gizmodo
GrokLaw 		  Lifehacker
Schneier on Security
Slashdot
TechCrunch
Techdirt
Techmeme
Valleywag
 
  May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
  June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
 
Featured Webcasts
Featured Whitepapers
Featured Reports