Cisco Systems said Tuesday it plans to buy privately held Web-based security software company ScanSafe for about $183 million.
The all-cash deal, which also includes retention-based incentives, is expected to close in Cisco's fiscal second quarter, which ends in January 2010.
ScanSafe is a cloud-based software service that allows customers to license the application on demand. Cloud-based services help customers save on costs, because they don't have to buy licenses to software and manage the software applications themselves.
The ScanSafe technology will help Cisco expand on capabilities it added when it bought IronPort in 2007, the company said. Cisco also plans to integrate ScanSafe's service with its AnyConnect VPN Client to provide a secure mobility solution. And Cisco will use ScanSafe's data centers to provide new cloud security services.
After a lull, Cisco has stepped up its acquisitions. This is the third acquisition the company has announced this month. Two weeks ago it said it would buy wireless equipment maker Starent Networks for $2.9 billion. And at the beginning of the month, it said it would buy Norwegian video conference equipment maker Tandberg for $3 billion. CEO John Chambers has said the company is looking for even more acquisitions.
Updated May 29 at 11:25 a.m. PDT with more details, quotes throughout.
Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.
Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.
Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.
Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.
The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.
"It is targeting IE users and Google searches," Landesman said.
The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."
The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.
ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.
In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
- prev
- 1
- next
