Windows Personal Computers
Visitors to an infected site will be redirected to an alternative site containing further malware. Initially, this alternative site was gumblar.cn, but it has since switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. Newer variations of Gumblar redirect users to sites running fake anti-virus software.
The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. Gumblar also enables promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Different companies use different names for Gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shut down in May 2009. However, many badware variants have emerged after that and they connect to other malicious servers via iframe code.
- Staff (15 May 2009). "New computer virus on rise, warn security experts". The Telegraph (London). Retrieved 2009-07-07.
- Leyden, John (19 May 2009). "Gumblar Google-poisoning attack morphs". The Register. Retrieved 2009-07-07.