Gumblar: Biggest Threat on the Web Today?


A new worm is propagating across the Web, and a growing chorus security experts are warning that the Gumblar worm might be the biggest danger now facing the Net.

US-CERT yesterday issued an alert that the worm is propagating, joining warnings from other Internet security watchers like Sophos’ Graham Cluley, who last week blogged that his company’s figures indicate that the malware is currently the Web’s dominant threat.

Last Wednesday, Sophos researcher Onur Komili reported that Gumblar, also known as Troj/JSRedir-R, had roared to the No. 1 spot among the Web’s most common infections — noting that it’s six times more prevalent than the next closest threat, at around 42 percent of all of Sophos’ detections.

The Gumblar attack compromises Web sites through the use of stolen FTP credentials, which is one of the targets of the legendary Sinowal Trojan. The compromised sites then infect users by means of a drive-by download attack that infects via unpatched Adobe PDF and Flash Player vulnerabilities.

“Drive-by-download attacks have proliferated over the past 18 months and
are now one of the primary tools for distributing malware and recruiting
zombies,” Amichai Shulman, CTO of data security vendor Imperva, said in an e-mail to “These attacks use legitimate sites to distribute malware that is actually hosted on an attacker-controlled server.”

Once a PC is successfully infected, the malware attempts to redirect Google (NASDAQ: GOOG) search engine results to point to malware-laden and phishing Web sites.

The malware “also steals FTP credentials (if found) from the victims’ computers,” Mary Landesman, a senior security researcher at ScanSafe, reported last week. “These stolen FTP credentials are then used to further compromise any websites owned or operated by the victim.”

“As a result, there is exponential growth of these compromises — as more victims are infected by encountering a compromised site, the number of compromised sites also increases and thus more visitors are exposed,” Landesman wrote.

The malware is but the latest in a series of increasingly frequent attacks on legitimate Web sites, which has experts warning users to beware of the sites they visit regularly, has reported.

“A user doesn’t see any of this happening and … URL filtering and blacklists won’t help,” Samantha Madrid, product manager of Cisco’s Web security product, told “These infected sites are still legitimate and the attack catches people off-guard.”

Users are unlikely to notice any difference on Gumblar-compromised sites,
she said.

“A Web site consists of 150 or 160 objects, and the attack adds just one
more ingredient,” Madrid said. “Its footprint is small.”

Staying safe

Despite its rapid spread, fighting back against the latest malware threat could be relatively straightforward.

“US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks,” the group said in its advisory.

Cisco’s Madrid also said that taking commonsense precautions like using desktop antivirus software can also help protect users.

Security vendors also seized the opportunity to tout the extra security measures they supply. Madrid said that Cisco software tracks the entire HTTP process, not just the initial request, which can help avoid such threats.

“People need a solution that understands the content and the origin of that content and can pick apart what’s benign and what’s malicious,” she said. “We are able to pick apart that malicious JavaScript and load the legitimate site.”

Imperva’s Shulman recommended similar measures for Web site owners.

“To protect their Web applications, organizations should implement security mechanisms like a Web application firewall, which would prevent the injection of malicious content in the first place, even if the injection mechanism is exploiting an unpatched or unknown application vulnerability,” he said.

“This technology can also detect injected pages, including instances where the injection occurred through an alternative channel like FTP,” he added.

However, detecting the issue is not simple, Shulman said. “The injected code used
by Gumblar is highly randomized and obfuscated which makes detecting injected pages harder.”

Cisco’s Madrid said that customers benefit from holistic Web monitoring. “With
assets such as our Cisco Threat Intelligence Operations Center, we had our sights on these domains when they first launched. If our customers clicked on the search link, they did not get the malware. They were protected.”

She added that although — the domain from which the malware originated — is down, the malware writers are now delivering malware through the domain, and of course, the target could change again.

Furthermore, the worm could use more avenues of infection, and researchers
cannot be certain that they understand everything it’s doing.

“The specifics remain somewhat unclear,” Madrid said. “We have been able to see that they are leveraging multiple vulnerabilities including vulnerabilities in Web
application software.”

Update adds comments from Cisco’s Madrid and Imperva’s Shulman.

News Around the Web