Gumblar botnet awake after five months

By

Malware injects iframe.

The Gumblar botnet has begun to be seen again five months after it rose to prominence.

Mary Landesman, senior security researcher at ScanSafe, claimed that after it built a botnet of compromised websites in May, it is now using those compromised websites as hosts for its malware.

Landesman said: “In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site. But in this case, the malware resides on thousands of legitimate (but compromised) websites.

“The majority of the compromised websites are small 'mom and pop' style websites in non-English speaking countries, but that's not important because the attackers have a clever trick for driving traffic directly to the malware hosted on those sites.

“An iframe pointing to the malicious script on the compromised site is forcibly injected on various forums. The injected forums we've seen thus far are using feed aggregators to push their forum posts out to subscribers, who are then exposed to the iframe.”

Landesman further claimed that the malicious script (which contains certain unique components included in the first stage Gumblar attacks), checks for the version of Adobe Reader and Adobe Flash and delivers the same URL with a unique SID depending on those results.

The script also contains an exploit for the Microsoft Office Web Components vulnerability described in MS09-043, which was patched in August 2009. Successful exploit results in a randomly named file dropped to the system.

“This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware also takes a read of sqlsodbc.chm, a file targeted by previous Gumblar-delivered malware,” said Landesman.

ScanSafe claimed that signature detection of the malware is very low according to a VirusTotal report.

See original article on scmagazineus.com

Gumblar botnet awake after five months
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Log In

  |  Forgot your password?