| |

Friday, May 22, 2009

"Gumblar" goes 188% stealing the spotlight from conficker

"Gumblar" is a new type of website based attack that injects themselves into web files. The changes made by the gumblar malware varies from site to site and even from page to page in the same site. This made detection through signatures difficult and as a result, infection from gumblar continues to rise. A user is immediately at risk by just visiting the infested website. It exploits vulnerabilities in Internet explorer and some vulnerable plug-ins like the Adobe PDF and flash. Once the users browser has been compromised, the malware then redirects google searches to their own list of fraudulent and bogus websites exposing victims with another attack. When gumblar was first detected, it's malware scripts are pointing to thus made signature scanning possible but after google delisted the malicious websites, gumblar evolved to a more elusive type. It's malware scripts are now dynamically generated and hard to detect. It continues to propagate by stealing FTP credentials of the victims if they have any and thus infecting the websites owned or ran by the victim. It also installs a backdoor program that makes the victim's PC a slave or a botnet. The attack has now spiked to 188% and continues to grow.

One way of avoiding this malware is by installing all the updates provided by Microsoft and Adobe. Examples of the exploited flaw in Adobe can be found in the following Adobe advisories: APSA08-01 and 11.

Preventive measures:

1. Regularly scan you computer with spyware. You can use spybot or malwarebytes.
2. Use good FTP passwords or better use SFTP or secured FTP. Just changing the FTP password once infected won't work as gumblar installs a backdoor access to your site. Using secured FTP is recommended.
3. Always have a backup of your website files. The gumblar malware can add different scripts in your site and manual deletion of the scripts is not recommended. If infected, you can wipe clean all your website files and upload your backup.

More information and updates can be found in ScanSafe blog.