Gumblar mutates into spam beast

An Australian web hosting company has reported that zombie machines infected with the Gumblar exploit have re-awoken and are being used to propagate spam.

AussieHQ, which owns the Jumba brand, reports that tens of thousands of shared hosting customers have been infected by the malware.

The Gumblar exploit exploded onto the web in mid-May.

The malware searched for FTP (file transfer protocol) details stored on or being typed into client systems, and used these details to log in to web servers to inject the index accounts of the site with an invisible iFrame.

This iFrame then infects any client machines surfing to the web site and propogates itself should that client machine also access a web server via FTP.

But Michael McGoogan, chief executive of AussieHQ reported that since Wednesday of this week, he has seen a "massive resurgence in infections."

"Gumblar has morphed itself many times and has become far more aggressive. The Gumblar exploit now appears to be at a stage two. It is now facilitating additional file uploads. Once it breaks in, either the initial attacker or third parties are gaining access to those files and using them to send out spam."

But the re-awakening is a mystery to John McDonald, senior security response manager for Symantec Asia Pacific. He told iTnews late yesterday that the web host may have stumbled onto a 'stage two' of the Gumblar virus, but may just as likely be the subject of a targeted attack.

McGoogan said he would not be surprised if there was a "spate" of web sites and web hosts blocked or blacklisted for sending spam in the coming days.

"This must be infecting hundreds of web hosts," he said.

AussieHQ has avoided being blacklisted as the web hosting company because it automatically scans outgoing mail from its servers, blocking spam.

But McGoogan doesn't assume all web hosting companies do the same.

He said AussieHQ staff have been cleaning out exploited sites since May, and only emailing affected customers.

"But as of Wednesday, because of the new surge, we have decided to make all customers aware that they need to update their anti-virus," he said.

McGoogan said it was difficult to detect infections.

"It is particularly aggressive because infected sites have no pattern signature," he said. "Each exploited account is infected using slightly different code. When it propagates, it regenerates a section of the code, so it changes on a per-account basis."

The malware also deletes itself from the index account after seven days to avoid detection. But by that stage, it has already uploaded new files to be used for sending spam.

McGoogan said the web hosting company has had to change the method with which it identifies exploited accounts.

"We aggregate the logs of our shared services," he said. "As soon as we see one FTP log-in address attempt to gain access to a greater number of accounts than our largest reseller has access to, we know those FTP log-in addresses are exploited. The problem is - detection is by symptom rather than cause. It is incredibly difficult to track."

McGoogan said any web hosting company that provides FTP access to customers will be affected.

"Some fifty per cent of our retail accounts have been found to be infected," McGoogan said.

"I don't understand how other hosts aren't telling their customers about this. My suspicion is that its because as soon as you warn all the users, your service desk gets absolutely over-run. Some [hosts] must know they are infected and are not telling customers. They need to take that hit on the service desk.  We need people to start talking about this. We need virus scans en masse."

Advice for consumers

Update and run your anti-virus and malware.

Advice for web hosts

Detect and block spam in outgoing mail from servers, and check for increasing server loads.

Have you experienced an increase in spam or suffered a Gumblar-related attack since Wednesday? Contact us at the newsdesk.