¤ Home » Internet » Web Security » What is Gumblar Attack?

What is Gumblar Attack?

Gumblar is essentially a combination of exploit scripts and malware that collectively work together to infect and spread. The name Gumblar was given to this attack as the first series of malware were downloaded from a Chinese domain name gumblar.cn hosted on a server based in U.K. Subsequently the attacker moved to another domain name martuz.cn and started delivering the malicious payload from there. Now there are several domains hosting the malware – some 1500+, many of whom are actually innocent victims themselves.

Gumblar is a kind of code injection attack where the hacker introduces malicious code in the victim's website files. The attack happens when the computer of the website owner or administrator is compromised and used to upload malicious content to his website hosting server after gaining access to his ftp login credentials. Malicious code is embedded in html, PHP and Javascript files on the web server. So, anyone visiting the website is subjected to the risk of being attacked.

How the Gumblar attack operates?

Despite having surfaced way back in 2009, the Gumblar attack exists even today due to its continuing evolution and the manner in which it operates. Here is a simplified description of how gumblar operates.

  1. A user visits a website that is infected with Gumblar. The user opens a web page that contains embedded Gumblar code. The gumblar code is essentially a base64 encoded obfuscated malicious javascript code and an iframe embed.
  2. Through the embedded iframe backdoor, the malicious javascript code silently downloads a malware from the attacker's site hosted on some other server. The first such malware payload delivering site was gumblar.cn. Now there are several hundred such attacker sites. This downloaded malware finds its way into the user's computer, taking advantage of vulnerabilities in the user's computer. One of the ways in which the vulnerability was exploited was - the site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF then exploited a known vulnerability in Acrobat to gain access to the user's computer. Other means adopted include – exploiting vulnerabilities in Adobe flash player and Java runtime environment.
  3. The downloaded malware now sits on the user's computer and begins the work of stealing the user's information, essentially on the look-out for FTP login credentials of website(s) that the user may own or may be administering. It may download additional malwares to aide it in the process. The malware will find FTP clients such as FileZilla and Dreamweaver and extract the stored passwords, or it may simply sit and wait for the user to login to one of his ftp accounts and grab the credentials through a key logger in the malware. This malware is also capable of hooking into several system application programming interfaces (APIs) thereby allowing it to monitor network activities and sniff for ftp credentials.
  4. After the malware has gathered ftp login url, login username and password, it sends the same to a designated IP address, which is the IP address of the hacker.
  5. The hacker now uses the login credentials to log into the user's website server. He downloads a copy of the victim's website files, viz. html, php, asp, aspx, js, etc., embeds them with obfuscated malicious javascript code and re-uploads them on the user's web server. Now the user's website too is infected and becomes another source of Gumblar attack. Thus it spreads and the infection cycle continues.

Why Gumblar is difficult to detect and remove?

The unique stealth mechanism of gumblar is that the malicious script that is embedded in web pages is obfuscated. Obfuscation makes it difficult for security tools or anti-virus programs to detect and analyze the malware. Further, the attacker generates obfuscated Javascript dynamically, thus embedding a different script in each infected page of the victim's website. Not only does the script vary from site to site but it can also vary from page to page on the same site, though they all deliver the same result. Since each embedded script is different, it is difficult for anti-malware software to match it with any known signature and hence difficult to detect and automatically remove.

The sites that the embedded gumblar script connects to also changes frequently, due to the very manner in which gumblar operates. Gumblar makes victim webservers as hosts for the malwares that are downloaded on victim's computer. Since new victims keep getting added as it spreads, the sites that the embedded script connects to keep changing. Further, since the victim websites are legitimate sites and known and trusted by other web visitors, the visiting users will never suspect the web pages they download from such sites and may unknowingly invoke the spread.

Needless to mention that the gumblar hacker initially targeted popular websites so as to accelerate the spread. One of the first such victim sites was Yahoo.

How to Safeguard your website from Gumblar attack?

It should be noted that the infection due to Gumblar attack is not because to any web server vulnerability. Most hosting providers do enforce stringent security measures to safeguard your data. The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to the hacker's IP address, from an infected machine. This FTP information is then used to log in to the web server and infect the hosted website. So, the infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Given the nature and scope of this attack, it is important that proper security measures be taken at all levels to prevent it. I would like to suggest a few steps that would reduce the vulnerability of your computer and remove existing threats. Note that you will become a victim only if you are a web master who is accessing web servers via FTP. If you are a mere website visitor and do not have anything to do with uploading website files, you will be unaffected by this attack.


comments powered by Disqus

Buy Domain & Hosting from the most reliable and trusted company - WebServicesWorldWide.com.

About the Author

Rajeev Kumar
CEO, Computer Solutions
Jamshedpur, India

Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.

Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.

Copyright © How2Lab.com. All rights reserved.

Refer a friend | Sitemap | Disclaimer | Privacy Policy