Gumblar botnet on the march again

Security experts at ScanSafe are warning users to be on their guard after recording a resurgence of the notorious Gumblar botnet and its associated malware.

The security-as-a-service firm warned in its monthly Global Threat report that 29 percent of all web malware blocks last month were related to Gumblar, a botnet which installs traffic sniffers and backdoors on PCs and then uses stolen FTP credentials to compromise web sites.

"Gumblar is arguably one of the most insidious threats facing web surfers and web site operators today," said Mary Landesman, senior security researcher at ScanSafe.

"Disturbingly, in early November, we detected that the backdoor left in place on the compromised web sites by the Gumblar attackers was being leveraged by other groups of attackers, meaning that the sites were under their control. This exacerbates the seriousness of the situation."

Gumblar is more sophisticated than many threats in that it is dynamically obfuscated to bypass signature-based detection methods, according to ScanSafe. It is also dynamically constructed at the time of access, so that different users will be delivered different exploits and potentially different malware depending on their environment.

ScanSafe has also discovered that Gumblar is installing PHP backdoors on the compromised web sites, and using the sites as the actual malware host. This makes it exceptionally difficult to shut down.

"When a typical outbreak of web site compromises occurs, there are generally only a few actual malware domains involved," explained Landesman.

"In the case of Gumblar, a conservative estimate suggests that there are at least 2,000 'backdoored' web sites serving as malware hosts. As a result, there are few points at which to target efforts to shut down the source of the malware."