Jun
17

Gumblar malware spreading rapidly

A very serious malware has surfaced in the internet and it proves to be very dangerous and malicious than the previous versions of similar malwares. The simple reason being it sends spam, sniffs ftp login details, overwrites .htaccess files to hijack your search engine results of your website and disables essential security software.
When users visit a site that is infected with this malware, it installs itself in the visitors machine and starts acting on it own.
 It installs malware on a victims’ machine that locally modifies Google search results, replacing the legitimate results with links to affiliates’ pages. This is presumably a money-making tool for the customers that pay the malware gang to distribute the attack.

"This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits," said a United States Computer Emergency Readiness Team (US-CERT) advisory on the attack. FTP credentials could be used to inject the script into more sites, spreading the infection vectors.
The malware was originally delivered from a server with a Latvian IP address, according to managed security firm ScanSafe. A script inserted on hacked legitimate websites would force them to connect to the server, delivering a drive-by download to the victims’ machine.

Gumblar has spread rapidly because malicious JavaScript on compromised sites seems to be dynamically generated. That is, it can be different on every site, or even every page on a site.

This is just the most recent example of legitimate sites being exploited to spread malware,” Samantha Madrid, a Cisco security product manager, told SCMagazineUS.com on Thursday. “What is unique to Gumblar is that it uses a multi-phased approach to propagate itself. It does not just deliver malware to the end-user.

To deal with the problem, Cisco offers five tips to enterprises and web sites to deal with the problem:

  • Make sure security protection is implemented for web servers and web applications.
  • Also, educate and alert users to pay attention to pop-ups that warn them if they’re about to proceed to a questionable site.
  • In addition, it is important to include client-side protection to establish a layered defense.
  • Organizations also should install gateway security that is capable of drilling down into every internet access request.
  • And make sure perimeters are secured with auditable firewalls.

The biggest threat is the targeting of web servers that can be compromised to become a host, thus a properly configured web application firewall will mitigate against the threat. Its vital that organizations should remind end-users of basic security principles regarding passwords and immediately force password changes. And any exchange of credentials should be done using encryption (HTTPS), never in the clear.
When using standard content management system (CMS) or forum software, keep it up to date, and be aware of new vulnerabilities. In addition, keep on top of passwords — don’t save them, unless they are encrypted, and make sure site components do not use default passwords

Sniffing FTP Login Details
This is very dangerous and malicious part of the malware function. It sniffs the ftp logins that are used by the infected systems to upload their contents. It then sends the sniffed login details to the remote attacker. Once the ftp logins are received the remote attacker starts uploading perl files [.pl], .cgi files, .js files, .php files, .htm files which contain injected iframe or malware redirection coding. Previously these coding were evident while viewing the source of the file. But of late, they have started inserting malicious code as ascii numbers or hexas so that a noivce developer will not notice quickly.
This type of injection cannot be scanned any anti-virus software as it wont be active unless it is view from a website.
This is also injected to a website directly without ftping via sql injection or vulnerable include files that have full write permission etc. Also if the users have unprotected directories with full permission, then they will be targeted to upload directly in to the server.

Sending Spam
Once the remote attacker uploads the malicious perl file using the password that he has sniffed using the above method, that file can be used to send spam mails / phishing mails at will. It is difficult to trace them or control them as most of the websites will have send mail enabled by default.

Hijacking the Search Engine Results
One common way these attackers use to spread this malware is to overwrite your .htaccess file to send all search engine hits from google/yahoo etc to their malware site. Hence as a user you might view the site when you access the site as www.domain.com but when you click on a search result of that domain in google or yahoo, it will be redirected to a malware website.

Disables Security Software
This malware is also capable of disabling the security software such as anti-virus in that system in which it is downloaded. But this type of disabling is more predominant in windows based systems only.

How to secure yourself from such an attack

  1. First change the password for all your websites immediately. Make sure that ftp login details are tough and not easy
  2. Review the code of your infected website particularly look for include files, .js files etc. Look out for iframe / sql injection coding / large sequence of numbers and digits
  3. Look out in your sql database for any field that has junk codes or iframes injected
  4. Check for your .htaccess file in various direcotries like public_html and see whether any undesired changes are done in it.
  5. Check for any .pl, .cgi file uploaded in your website or in cgi-bin folder
  6. Check for any unknown files appear nearly to your file names uploaded in your website.
  7. The best way to safe guard is to keep a backup of your website, mail, database. Terminate the account. Recreate it in your whm. Review the coding and database thoroughly and upload your website.
  8. Make sure that your local LAN and systems are with latest version of OS with proper updates
  9. Make sure that all your security softwares are upto date and function properly
  10. Do not allow any one to access unwanted sites in your local LAN or system or laptop
  11. Make sure that a firewall such as Windows firewall or Zone lab firewall is installed and enabled in your systems
  12. Warn all your customers about this issue and make sure that they also keep their systems clean and secure
  13. Advise your customers to change passwords regularly and make sure that passwords are always tough
  14. Advise your customers to use secure and safe ftp software while uploading web pages and desist from uploading via public terminals

Original Source:
http://www.scmagazineus.com/Experts-offer-tips-to-deal-with-Gumblar-malware/article/137256/
http://www.infosecurity-magazine.com/view/1833/gumblar-malware-attack-sweeps-web/
http://hostlogue.wordpress.com/2009/06/12/gumblar-malware/

This entry was written by Edward Anil Joseph and posted on June 17, 2009 at 12:56 pm and filed under Tips, security. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.


top

About Us

Fuchsia Software Technologies Private Limited is an IT Service Provider and it is one of the fastest growing companies in India. Located at Chennai, it focuses on Strong domain expertise, extensive technology skills, process focus, speed and innovation enable Fuchsia to provide value-added, high quality IT solutions to customers.At Fuchsia, we aim further than providing solutions that impact business; we aim to change the way you do business. Fuchsia Software Technologies Private Limited
Support Forum
Knowledge Base
Help Desk

Recent Posts

Sponsored Ads

© 2007 Fuchsia Software Technologies Private Limited. All Rights Reserved. XHTML Theme by: Dezinerfolio
22 queries. 0.157 seconds. | Visitor :