Gumblar Introduces Change in Tactics

Masterminds of the Gumblar botnet and related malware campaign are constantly embracing new techniques to evade detection as well as to prevent security experts from downloading and studying the fresh variants of the malware.

As per the security researchers, recent analysis of Gumblar's activity suggests that the latest variant (or one of the current variants) includes a new functionality that checks for the country where a freshly infected computer is located during the initial course of infection, as per the news published by esecurity Planet on May 5, 2010.

Behind executing this check, the sole aim of cybercriminals is to stop Gumblar from compromising any further systems in Japan. This is because researchers in Japan have been very meticulous in detecting and separating components of the botnet's network.

Security experts noted that Gumblar has been continuously infecting computers and servers for over a year now, that too with a high success rate. The change in tactics adopted by attackers suggests that they are not going to sit idle. The thing that has changed since the botnet commenced its operation is the amount of infected servers and the extra layer of servers in its chain of malicious process.

Now, the Gumblar's infection process initiates from an authentic webpage that contains an injected <script> tag. This page, known as html-redirector, refers to a server having php that generates javascript, which further redirects the targeted browser. The server here is called a php-redirector. This chain is completed by a server that has a bunch of exploits used to launch attacks on netizens.

Vitaly Kamluk from security firm Kaspersky's Japanese Office found in its latest research that complicated Gumblar network consists of a minimum of 4,460 backdoored servers at present, as per the news published by threat post on May 4, 2010.

Kamluk further noted that for now, the number of compromised client systems in the Gumblar's network remains unknown, but it is believed to be higher than that of compromised servers, as the number of servers just depicts the number of infected users with their own websites and using FTP clients on compromised systems, reported THE NEW NEW internet on May 5, 2010.

Related article: Gumblar Attack Diverting Online Users from Google Results to Malicious Pages

ยป SPAMfighter News - 5/17/2010

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next