Updated May 29 at 11:25 a.m. PDT with more details, quotes throughout.
Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.
Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.
Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.
Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.
The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.
"It is targeting IE users and Google searches," Landesman said.
The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."
The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.
ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.
In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.
The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.
Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.
"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.
Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.
Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.
"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.
In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.
Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.
The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.
Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.
The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.
They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.
The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.
Matthew Broersma of ZDNet UK reported from London.
- prev
- 1
- next
