On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks. Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks). Gumblar: malicious sites blocked by MessageLabs Some general statistics • Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains • Originally the malware was served up via a malicious site called gumblar.cn in April 2009, and the threat was named after that. Subsequently the same malware has appeared on thousands of domains, some set up with malicious intent to infect visitors, and some legitimate sites that have been compromised/changed so that they serve malware to unsuspecting visitors. • The most commonly blocked top-level domain for Gumblar is .com (48 percent), and most of these are legit compromised sites. • The next most common ones are .co.uk with 5 percent and .net with 5 percent. Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services According to Wikipedia, sites become infected using passwords obtained from site admins. The host site will access a website via FTP and infect the website. It will download large portions of the website and inject malicious code into the website's files before uploading the files back onto the server. The code is inserted into any file that contains a <body> tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that will infect computers that execute the code. In addition, some pages may have inline frames inserted into them. Typically, iframe code contains hidden links to certain malicious websites. The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to. Infection of Interent Users Visitors to an infected site will be redirected to an alternative site containing further malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer. How does the Gumblar threat fit with other threats that are being blocked? We see a huge variety of different threat names. The names that have accounted for 95 percent of blocks in 2010 so far, are categorized into groups below. In January, Gumblar sits in a group of threats that is a lot less common than actual blocks of Trojan downloads/sites. Many of the blocks that are labeled Trojans, could be Gumblar-infected sites leading to a site which attempts to download a Trojan, which is then blocked. In November, Gumblar was so active it would have been featured much higher in this table, with at least 20 percent of blocks in November. The large group labelled “unknown/other” is a variety of different threats, most, if not all, of which are Trojan threats. Rogue AV and sites that sell fake AV protection software are becoming increasingly popular as are phish sites. Bredolab, another type of Trojan, is a utility Trojan much like Conficker/Downadup and is not designed for a specific task. Rather, it’s designed simply to gain control of the victim’s PC, which can later be used by the attacker or the control can be sold to others, in order to install specific malware like a botnet or keylogger.