RSS Alerts
Gumblar block rates. Source: ScanSafe Q4 threat report, 2009

Related Links

Related Stories

  • Web-based malware attacks soaring says ScanSafe
    In its second quarterly report on IT security threats of 2008, software-as-a-service (SaaS) specialist ScanSafe reported that web-based malware had surged by over a third when compared to the first quarter of the year.
  • Gumblar malware attack sweeps web
    A modified attack that alters Google searches is taking the web by storm according to security researchers, who have identified more malware domains being used in the attack.
  • McCartney site serves up Zeus malware
    Paul McCartney's site was serving up the Zeus trojan for three days, according to UK security firm ScanSafe. The attack, in which paulmccartney.com was compromised with malicious Javascript, appears to have been tailored to coincide with interest in his New York reunion concert last weekend.
  • Searching for Security
    With more than 30 000 web pages being compromised every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves
  • Infosecurity Weekly Brief - May 18 2009
    Infections, Intrusions, Protections and Misdirections

News

Gumblar goes into overdrive

19 November 2009

The Gumblar botnet has moved into overdrive, changing its operating model to dramatically increase its infection rates, according to the latest monthly threat report from ScanSafe.

Originally discovered in the first quarter of this year, Gumblar compromises infected PCs and steals their FTP credentials to compromise PHP-based websites. In October, Gumblar began using the compromised websites to host the malware directly, using server-side polymorphism to thwart signature-based detection.

These websites are being used as malware servers to deliver the malware via thousands of other websites that have been compromised and injected with HTML iFrame tags.

The significance is that whereas traditional drive-by downloads are delivered via a handful of malware servers, Gumblar is now serving malware from at least 2000 actual websites, explained Mary Landesman, senior security researcher at ScanSafe. "As a result, there is no single or few points at which to target efforts to shut down the source of malware", she warned.

This has led to a drastic increase in the level of Gumblar infections. In September, the percentage of malware blocked by ScanSafe's systems rested at around 2%. It reached 29% in October, according to the ScanSafe Global Threat Report for Q4. This is in spite of errors in the malware that can cause an infected site to display incorrectly.

Ongoing analysis suggests that other groups of attackers are also using the backdoors left behind by Gumblar, ScanSafe said.

Gumblar specifically attacks PHP-based websites with its backdoor, and uses PDF, Flash, and office web components [OWC] to infect clients.

 

This article is featured in:
Internet and Network Security Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water