14 DAY TRIAL // Security researchers warn that the Gumblar Web threat has returned with a more potent version. The new iteration features serious changes in architecture, making it more resilient to takedown attempts, and also serves new exploits.
In May 2009 the number of websites compromised due to a new mass Web injection attack exploded. Security researchers dubbed the threat Gumblar, after gumblar.cn, the domain from where it loaded its malicious code. According to some security vendors, Gumblar went on to become the most widespread computer malware in the second quarter of 2009.
Stolen FTP credentials were used to compromise websites and inject a malicious IFRAME that loaded malicious JavaScript code from an external domain. This code attempted to exploit outdated versions of popular programs such as Adobe Flash Player or Adobe Reader in order to infect visitors' computers with malware.
However, the new Gumblar version detected in the wild no longer uses a single domain for hosting its exploit kit. Instead, every compromised website is served as source for the malicious script. What is interesting is that the original file system paths on the servers are mimicked. For example, if the server has a legit header.gif in a directory called img, the malicious script will be dropped as header.php in the same dir.
As in previous attacks, a rogue IFRAME pointing to the script is injected into the pages of every compromised website. But even though their number is well into thousands these are small and foreign-language websites that don't allow for great exposure. Because of this, the Gumblar gang also found a way to inject the iframe into forum posts, which have a better chance of being visited.
"The injected forums we've seen thus far are using feed aggregators to push their forum posts out to subscribers, who are then exposed to the iframe," Mary Landesman, a senior security researcher at Web security company ScanSafe, explains. She also notes that the malware dropped by successful exploitation is configured to load when any sound-enabled application is launched and that it modifies the sqlsodbc.chm system file.
Security researchers from IBM's X-Force division also point out that the JavaScript obfuscation of the new Gumblar version was enhanced to avoid detection and that new exploits have been added to the toolkit. This includes one for a recently patched vulnerability in Adobe Reader, and two for older bugs in Adobe Flash Player and Microsoft Office Web Components. "Gumblar is a force to be reckoned with, and this latest push of theirs is a true testament to that fact," they conclude.