Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R[1] this botnet first appeared in 2009.

Infection

Windows Personal Computers

Gumblar.X infections were widely seen on systems running newer MacOS operating systems.[2] Visitors to an infected site will be redirected to an alternative site containing further malware. Initially, this alternative site was gumblar.cn, but it has since switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. Newer variations of Gumblar redirect users to sites running fake anti-virus software.

The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. Gumblar also enables promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated packet analyzer.

Servers

Using passwords obtained from site admins, the host site will access a website via FTP and infect that website. It will download large portions of the website and inject malicious code into the website's files before uploading the files back onto the server. The code is inserted in any file that contains a <body> tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that will infect computers that execute the code. In addition, some pages may have inline frames inserted into them. Typically, iframe code contains hidden links to malicious websites.

The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Gumblar variants

Different companies use different names for Gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shut down in May 2009.[3] However, many badware variants have emerged after that and they connect to other malicious servers via iframe code.

Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML, PHP and JavaScript files on webservers to help spread itself.[4] This time it used multiple domains, making it harder to detect/stop.[5]

See also

References

  1. Matthew Broersma. "'Gumblar' attacks spreading quickly". Archived from the original on 25 October 2012. Retrieved 26 July 2012.
  2. "Trojan-Downloader:JS/Gumblar.X Description - F-Secure Labs". www.f-secure.com.
  3. Binning, David (15 May 2009). "Reports of Gumblar's death greatly exaggerated". Computer Weekly. Retrieved 2009-07-07.
  4. "Gumblar-family virus removal tool". 22 December 2009.
  5. "Sucuri MW:JS:151 Gumblar malware - domains used".
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.