An untested version of Gumblar reigns chaos through PHP CMS-driven sites

Nov 5, 2009 15:36 GMT  ·  By

Independent security researcher Denis Sinegubko has recently stumbled upon a new version of the Gumblar Web botnet that has quite a craving for PHP CMS-driven websites. Mr. Sinegubko has discovered that this latest version (“untested version” as he refers to it) has until now affected more than 300,000 PHP websites, from which about 65,000 running the WordPress blogging platform and 38,000 running the Joomla! CMS.

In his opinion, Gumblar's authors may have unintentionally leaked an untested version on the Web. This latest threat seems to like injecting complex structured PHP sites (regularly referred to as CMSs) like WordPress, Joomla, Drupal, phpBB, vBulletin, Zen Cart, Magento, etc.

The attack works when the botnet manages to acquire FTP credentials to a website. After assuring itself with a backdoor entry for the victim's website, the botnet will open the host's PHP files and add a line of code to the beginning of each file. That line is a PHP declaration containing a 64-base encoded function that will execute other PHP and JavaScript code, which will then try to inject more code into other files.

Whenever a user wants to view the website's content, a function is called upon numerous times, and since PHP won't allow a declaration of the same function more than once, it will return an error like the one below. Many declarations inside the injected code and the fact that the botnet is quite unobtrusive point out to the conclusion that this is an untested alpha or beta version of a future botnet.

code
Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) :
eval()'d code:1)
in /path/to/site/wp-config.php(1) : eval()'d code on line 1
Fortunately for an infected website's visitor, this version is not harmful. Unfortunately, for webmasters, they will have a lot of work on their hands to restore their website back online. Mr. Sinegubko was kind enough to provide a set of tools and ways for admins to retake their sites back, which can be found on his blog at this link.