Experts: Gumblar attack is alive, worse than Conficker

Updated May 29 at 11:25 a.m. PDT with more details, quotes throughout.

Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.

The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.

As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.

Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.

Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.

Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.

The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.

"It is targeting IE users and Google searches," Landesman said.

The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.

Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."

The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.

ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.

In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.