Gumblar is essentially a combination of exploit scripts and malware that collectively work together to infect and spread. The name Gumblar was given to this attack as the first series of malware were downloaded from a Chinese domain name gumblar.cn hosted on a server based in U.K. Subsequently the attacker moved to another domain name martuz.cn and started delivering the malicious payload from there. Now there are several domains hosting the malware – some 1500+, many of whom are actually innocent victims themselves.
How the Gumblar attack operates?
Despite having surfaced way back in 2009, the Gumblar attack exists even today due to its continuing evolution and the manner in which it operates. Here is a simplified description of how gumblar operates.
The downloaded malware now sits on the user's computer and begins the work of stealing the user's information, essentially on the look-out for FTP login credentials of website(s) that the user may own or may be administering. It may download additional malwares to aide it in the process. The malware will find FTP clients such as FileZilla and Dreamweaver and extract the stored passwords, or it may simply sit and wait for the user to login to one of his ftp accounts and grab the credentials through a key logger in the malware. This malware is also capable of hooking into several system application programming interfaces (APIs) thereby allowing it to monitor network activities and sniff for ftp credentials.
After the malware has gathered ftp login url, login username and password, it sends the same to a designated IP address, which is the IP address of the hacker.
Why Gumblar is difficult to detect and remove?
The sites that the embedded gumblar script connects to also changes frequently, due to the very manner in which gumblar operates. Gumblar makes victim webservers as hosts for the malwares that are downloaded on victim's computer. Since new victims keep getting added as it spreads, the sites that the embedded script connects to keep changing. Further, since the victim websites are legitimate sites and known and trusted by other web visitors, the visiting users will never suspect the web pages they download from such sites and may unknowingly invoke the spread.
Needless to mention that the gumblar hacker initially targeted popular websites so as to accelerate the spread. One of the first such victim sites was Yahoo.
How to Safeguard your website from Gumblar attack?
It should be noted that the infection due to Gumblar attack is not because to any web server vulnerability. Most hosting providers do enforce stringent security measures to safeguard your data. The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to the hacker's IP address, from an infected machine. This FTP information is then used to log in to the web server and infect the hosted website. So, the infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Given the nature and scope of this attack, it is important that proper security measures be taken at all levels to prevent it. I would like to suggest a few steps that would reduce the vulnerability of your computer and remove existing threats. Note that you will become a victim only if you are a web master who is accessing web servers via FTP. If you are a mere website visitor and do not have anything to do with uploading website files, you will be unaffected by this attack.
Install an antivirus software with the latest updates and ensure removal of any malware, trojans or key loggers on any computer that you use to manage your website's content via FTP. Several free antivirus software like AVG, AntiVir, Malwarebytes are available for this purpose. Be careful not to download such free anti-virus software from unknown/un-trusted websites. Regular virus scans will minimize such threats to a great extent, provided you always keep virus signatures/patterns up-to-date.
Use a genuine licensed operating system and always keep system patches up-to-date. Also, keep upgrading your browser to the latest version. Avoid trying out recently launched browsers. Always use the one that is established for years and originate from a reputed company.
When a computer is compromised, isolate it immediately from the network. Clean it. Once you are confident that you have a clean machine then you should change all FTP passwords. It is advisable that you set complex passwords and regularly change them for added security.
The easiest way to clean a Gumblar-infected site is by uploading a clean copy from a backup source. Note, however, that Gumblar infects random files. One missed file can thus lead to re-infection. Therefore, after changing your ftp password, delete all website files on the server and upload fresh clean files from your local backup. You must develop a habit of maintaining a clean copy of your website files in your local computer, better still in an offline storage hard disk.
I also recommend that you avoid storing ftp passwords directly on the ftp clients that you use to upload your website pages. If multiple users have administrative rights to the FTP site, consider implementing strict password creation and renewal policies. You can further restrict ftp use by configuring your local network's firewall settings.
Though it is probable that stolen FTP credentials are a major factor in a Gumblar attack, it is still likely that files may be infected if intercepted while in transit. Secure protocols like SFTP, FTPS, and SCOPY may be used instead of plain FTP to minimize this possibility. When transferring highly sensitive files electronically, it is advisable to use encryption technology to encrypt the files before performing any kind of transfer. Setting up a more secure method of transferring files may indeed be complicated but the added security this provides is well worth the effort.
Periodically test your website for security issues. Also carry out vulnerability tests to check that your website codes are secured from code injection, SQL injection, and cross-site scripting (XSS) attacks.
Avoid visiting untrustworthy websites that may redirect or download related malware onto a system.
Rajeev Kumar CEO, Computer Solutions Jamshedpur, India
Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.
Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.