ScanSafe - Gumblar Botnet Reactivates and Spreads Malware

According to researchers at online security firm 'ScanSafe,' several websites that were compromised by the Gumblar assaults during May 2009 are now serving malicious software to visitors, as reported by V3 on October 17, 2009.

The researchers state that different from previous onslaughts of the bulk website compromises called Gumblar, the present round of attack loads an exploit code on the Internet-connected PCs hosting websites. Interestingly, the malware's file and directory names are often identical to an authentic file on the online site (website).

The name 'Gumblar' was so chosen for the botnet because it used the malicious gumblar.cn domain during its first assaults. Together with stealing, usernames, passwords and FTP credentials, another malware accompanies the already existing one on the botnet, which creates a backdoor facility on contaminated computers.

Attackers use the compromised FTP credentials to hijack more websites after which they reconfigure the sites and set lower security standards so that the sites are exposed to more assaults despite the subsequent change in their passwords.

Further, most of the hijacked sites are small in size and hosted in non-English speaking countries, but that doesn't make any difference to the attackers as they still cleverly pull traffic straight to those malware serving sites.

Mary Landesman, Senior Security Researcher at ScanSafe, states that it is not possible to estimate the aggregate number of websites attacked, but based on the total number of deterrence accomplished and the research conducted during the recent days, it can be said that there have been a few thousand compromises, as reported by Eweek on October 16, 2009.

The researchers also said that Web-surfers go to the Gumblar compromised websites wouldn't notice anything unusual. Yet in the background, a PHP code examines the versions of Adobe Flash and Adobe Reader on computers so that in case either is an expired edition, the code hijacks the computers by exploiting known security flaws. If the programs are of the latest versions, the code checks whether the systems are vulnerable to flaws for which Microsoft patches are available.

Related article: Scansafe Claims that Malware Grew by 35% in April

» SPAMfighter News - 10/30/2009