14 DAY TRIAL // Malware analysts from security vendor Sophos warn that the number of pages infected with the Gumblar malcious script has recently sky-rocketed, putting the exploit at the top of the list of Web threats. The impact of the previous record setter Mal/Iframe-F now dwarfs in comparison.
According to Sophos, Troj/JSRedir-R, otherwise known as the Gumblar exploit, after the rogue domain it points to, amounts to a whopping 42% of all infections on the Web today. Mal/Iframe-F occupies the second place, its number of infections being six times lower and accounting for only 7%.
"Typically, JSRedir-R is found on legitimate websites, hidden behind obfuscated JavaScript, loading malicious content from third-party sites without the user's knowledge. In the below case, the obfuscated script tries to download dangerous code from a site called gumblar.cn," Graham Cluley, Sophos' senior technology consultant, explains.
The obfuscation method used by Gumblar is fairly simple and involves replacing characters with their hexadecimal value, for example " %20 " instead of "empty space," then changing the % with an arbitrary character. The JavaScript code includes a replace function at the end, which restores % for the random character.
There are numerous variations of this script in the wild and they can be usually found right before the "body" tag in compromised HTML documents. They all query the gumblar.cn, which is blacklisted by Google, for additional malicious scripts. "Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page," the Unmask Parasites blog warns.
Since this script has been found on websites running a variety of PHP applications, it cannot be tied to a particular vulnerability. Instead, compromised FTP credentials might be the point of entry. Paul Baccas, virus researcher at Sophos, attributes the infections to the PHPMod-A Trojan. The payload is also said to change permissions of various directories on the webserver and drop an image.php file into the 'images' folder.
What is also interesting is that the exploit infects different file types with different code. This means that the code inserted into .js files will be different from the one inserted into .php. This is, obviously, required for the malicious code to be executed properly, but the fact that it successfully targets more than .html files makes the threat a lot more dangerous and hard to clean.
If you have reasons to believe that your website has been compromised by this threat, make sure your computer is clean of malware, change the password for your FTP accounts and re-upload the website from a clean back-up.