Microsoft warned of an increase in web-based attacks related to a family of malicious code referred to as Gamburl, but also Gumblar or Redir. Gamburl is essentially a JavaScript redirector, and in this regard poses a high level of risk to end users because the code is used on legitimate websites that have been compromised by attackers. Microsoft informed that it had confirmed the existence of legitimate webpages in the wild, modified in order to contain the malicious script. While victims think that they are safe by visiting trusted and familiar online destinations, the addition of Gamburl means that drive-by-attacks could be just “around” the next click.

Elda Dimakiling and Jireh Sanico from the Microsoft Malware Report Center explained that: “When a user visits a site containing a Gamburl script, the browser will be redirected to a specific Web site that contains a slew of exploits and other malware. As of this writing, Gamburl is known to redirect to the following Web sites: gumblar.cn; martuz.cn. Once connected to the above sites, Gamburl tries to download other malware into the system. From what we have observed, these malware are mostly backdoors, PDF and Shockwave exploits.”

At the same time, Microsoft informed that malformed webpages could lead to infections with malicious code from the Win32/Daonol family. Daonol Trojans are used to redirect searches to additional malicious websites. Removal is that more difficult since the malware blocks access to the websites of security companies.

“Daonol is also capable of stealing information, such as FTP credentials, and placing the information in a file in the Windows system folder called sqlsodbc.chm. Note that a file named sqlsodbc.chm exists by default when you install Windows, and so is overwritten if your system has been infected by Daonol. This may be a symptom of Gamburl/Daonol infection,” Dimakiling stated.