Self-building Botnet Gumblar Making a Comeback
According to the Internet security company Kaspersky Labs, Gumblar, a gigantic botnet, is steadily resurging again and has collapsed numerous websites and blogs like Joomla, Drupal, Wordpress and other PHP-based websites this year (2009).
The security company states that the surprising aspect of Gumblar attacks are not tens of thousands of computers globally, but the Gumblar botnet intrinsic organized structure. Its totally automated and hierarchical structure makes it different from others.
According to Kaspersky, its research team has currently studied over 600MB of database associated with the recent Gumblar revival. On the whole, the team detected 2,000 or more contaminators (i.e. PCs hosting the malware pieces or payload) and 76,100 or more 'Redirectors' (i.e. PCs having web-links to the malevolent websites). Incidentally, a majority of these infectors work like redirectors as well.
However, certain compromised websites, known as 'injectors,' were responsible for the real hijacking of the redirectors and infectors, explained Kaspersky Labs. These injectors were just about 50 in number during November 2009 and were in fact proxies obeying commands from a still fewer number of compromised sites known as 'dispatchers.' Apart from the dispatchers, all the other websites were PHP-based, possibly open on Linux, Kaspersky said.
Gumblar works in a totally automated fashion, building botnets all by its own, according to Kaspersky. With this malware attacks, hackers are compromising credentials for File Transfer Protocol (FTP) instead of employing the typical technique of code injection.
Furthermore, Gumblar malware has revived and the botnet is back in action, acknowledged researchers at security company ScanSafe.
Mary Landesman, Senior Security Researcher at ScanSafe, has stated that worryingly, during early November 2009, the researchers found that when the Gumblar attackers left the backdoor on the hijacked sites, other attackers exploited it thus bringing those sites under their hold. Landesman describes this development as one aggravating the situation's seriousness, as reported by Webfinanser in the 3rd week of November 2009.
Since Gumblar has proved to be a highly insidious threat for modern website operators as well as Web-surfers, it is advisable that people safeguard their computers well in advance.
Related article: Self-replicating Trojan Hits Google’s Orkut
» SPAMfighter News - 15-12-2009