Threat Management, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

“Gumblar” website compromises increase 188 percent this week

Share

Thousands of legitimate websites have been infected since late March with code that is silently infecting visitors with malware. And as of this week, the number of compromised websites has skyrocketed.

The exploit -- in which legitimate sites have been injected with malicious code that causes visitors to be infected with a family of trojans -- has been termed “Gumblar” for the name of the domain that is hosting the malware. When a user visits one of thousands of compromised websites, it silently loads a PDF and Adobe Flash exploit from Gumblar.cn that infects the user. All a user has to do is visit a compromised website, and if JavaScript is turned on and the user's system is not up-to-date with Adobe patches, the user will be infected. Though this threat relies on a known vulnerability in Adobe Flash Player, the number of compromised websites leading to Gumblar malware has increased 188 percent during this week alone, Mary Landesman, senior security researcher at ScanSafe told SCMagazineUS.com on Thursday.

Perhaps more shocking, the number of compromised websites, which includes Tennis.com, Variety.com and Coldwellbanker.com, increased 61 percent overnight on Wednesday. According to a post on a blog called “Unmasked Parasites” this exploit has become a “prevailing problem” for website administrators this month. In numerous comments, individuals discussed their difficulties in dealing with Gumblar infections on their websites.

“My website was also infected by gumblar.cn,” one commenter going by the name “Tim” wrote. “I ran a scan, reformatted my computer, changed passwords, uploaded clean code, uploaded clean database -- website was clean for one day and then was hacked again.”

If a user visits one of the compromised websites and becomes infected, the malware causes the user's browser to redirect Google search results and also steals FTP credentials (if found) from the victim's computer.

When an infected user's Google search results page gets delivered back to the browser, the links are replaced with those of the attacker's choosing. This is a financially motivated attack, Landesman said, and the cybercriminals behind it are getting money by redirecting users to certain sites. In addition, the malware installs a backdoor that steals file transfer protocol (FTP) credentials -- usernames and passwords for administrators of websites -- so once the attacker has those FTP credentials, they can compromise that website and further propagate the exploit.

“Today, there are cocktails of threats that all work together for a single purpose,” Landesman said.

Gumblar.cn is a URL from China, but the IP address seems to point to Russia and the servers hosting it are from the UK. Adding to the confusion, other components involved in the attack point to Latvia, Landesman said. Making it difficult to determine the origin of the attack is a very conscious decision on the part of cybercriminals, done as a way to cover their tracks.

Site owners from larger sites with skilled IT staff will likely be able to recognize signs of compromise, remove it and properly secure the site. But a large number of the compromised sites are smaller and mitigating this issue is “quite often” beyond their capabilities, Landesman said. She added that for enterprises, this exploit may be particularly risky if users are not up-to-date with Adobe patches. 

A Google spokesman told SCMagazineUS.com on Monday that some compromised sites associated with this exploit may include a warning, saying “this site may harm your computer” associated with their search results listing.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.