'Gumblar' attacks spreading quickly

The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.

The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.

Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.

"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.

"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.

In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.

Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.

The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.

Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.

The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.

Matthew Broersma of ZDNet UK reported from London.

[longroy]

..Question: If China's governing forces are so good at blocking content from being viewed by their own people, why the hell can't they stop all these trojans being delivered from .cn based websites?? Unless... ...aaahhh (light bulb)!

[gertruded]

Never once does the writer say that this is a windows problem.

IT IS A WINDOWS PROBLEM, IT IS A WINDOWS PROBLEM.

[man_w_balls]

don't you know that all computers are Windows?

OK, so they're not. Some people really don't know any different though, and it's sad.
But some of us will have working computers no matter what virii are unleashed.

[catch23]

>> attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player
Learn to read, you gutless shill. Any OS running these programs can be targeted.

[SIGHUP]

Actually he said it was an Adobe and Google problem. But good job putting out the first flamebait. Maybe you should read the entire article next time.

[Perry_Clease]

"Actually he said it was an Adobe and Google problem. But good job putting out the first flamebait. Maybe you should read the entire article next time."

I am staying out of the Windows flame war, but from what I read on a number of website the gumblar is more than an Adobe and Google problem From ComputerWeekly.com:

"Gumblar seeks to identify old, unchecked vulnerabilities on a PC that browses a hacked site, installing malware where holes are discovered. Successful attacks install malware that manipulates Google search result pages when viewed by Internet Explorer, presenting victims with links to fraudulent sites.

For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," internet security company ScanSafe reports.

The Trojan could then allow cybercriminals control of the victim's computer, leading to myriad security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise - a common malware propagation tactic."

[alegr]

The virus compromises PHP websites. Most of them use Apache.

[Dalkorian]

"The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said."

The apologists shine spotlights on the Acrobat and Flash connection, trying to distract you from the fact that it's trying to mess with your search results (Google) ... when using Internet Exploder.

Try getting IE on anther platform other than winblows. Ergo, it's a winblows problem. Currently.

In the apologists defense, this apparently is a trojan horse that's exploiting third party applications to get in the door. No platform is invulnerable to this kind of attack, just because it's currently targeting winblows doesn't mean it couldn't be tweaked to target Linux or OS X instead. Trojans work by fooling the user into installing them and no OS can protect the user from him/her self.

[gggg sssss]

and Macs dont use ftp or acrobat reader or javascript?

[baconstang]

More like very few Mac users use IE. If they did and went to the sites and downloaded the Trojan, and even if they did agree to install the 'application downloaded from the internet', there is nothing in the article that says it was written to take over an OSX machine.

[Perry_Clease]

"and Macs dont use ftp or acrobat reader or javascript?"

We use those programs, but we don't use Explorer

[baconstang]

The 'gertruded' one is right, it IS a Windows problem. Besides if affected a single Mac, it would have been in the headline.

[trindnk]

I've seen 5 different variants by these folks on several different servers (friends, companies and my personal host). They are using 3 different URLs in iFrame injections and have started using a couple of different Javascript injections as well. They get in through FTP accounts...so beef up your FTP passwords and change them often. Once they get on the server and can display their content in your pages...they post Flash Files (which give them root access to the machine) and start embedding trojan, malware and spyware. It gets worse the longer you leave it up and they start putting code in smarter places until they eventually just start adding code at the end of your files...oh, and don't look for change dates on your files. They are truncating your existing files and saving with the old date and files size, so it looks like nobody has been there.

[Recklesslife85]

My website has contract the Virus. Been driven me insane untill I found out it was this!!! In the middle of cleaning up the problem.

Honesly guys do all you can to stop this from happening to your website as its a real pain.

[McNetter]

So it appears Gumblar was downloaded on a Mac of ours. It doesn't appear to show any adverse affects. But when we started using that machine to access webservers, Gumblar got into these remote servers and infected multiple websites. Affected sites apparently crashed user's computers (only HP products for some reason) and they had to have them revived by service techs. Which I'm paying for. I need to make a report about our situation. Any feedback on how this Gumblar can get from a Mac to a remote server yet not be evident on the host Mac?