 |  |  |  |  |  |  |  |
OMG! Gumblar gets busy
I just had a Jaws moment. You know, you think it is safe to go back in the water and then a bloody great shark bites your legs off. Except in this case you can replace the sea with the Internet and the shark with the equally dangerous Gumblar.
According to the latest ScanSafe numbers, Gumblar was responsible for a whopping 29% of all the web malware blocks it saw during October. Gumblar, in case you were wondering, is the collective name for a family of website compromises which are particularly nasty. Using a variety of routes to infection, Gumblar will install traffic sniffers and backdoors on computers, and exploit stolen FTP data to compromise web servers and sites.
During the course of October it began to put a backdoor botnet to use as a malware host, something very rarely seen as botnets are usually used to distribute and attack rather than host malware. To make matters even more worrisome, Gumblar has been dynamically constructing the hosted malware at the time of access to ensure users are delivered different exploits dependent on factors such as browser type for example. Throw in the use of dynamic obfuscation and you start to understand why Gumblar is proving to be such a troublesome beast. Once a Gumblar family exploit has been successfully installed via a visit to a compromised site, it is able to intercept all web traffic in both directions.
"Gumblar is arguably one of the most insidious threats facing both Web surfers and website operators today" Mary Landesman, senior security researcher at ScanSafe, argues "disturbingly, in early November, we detected that the backdoor left in place on the compromised websites by the Gumblar attackers was being leveraged by other groups of attackers meaning that the sites were under their control. This exacerbates the seriousness of the situation".
Landesman admits that the implications of this evolutionary departure from the norm displayed by Gumblar when it comes to installing PHP backdoors on compromised websites and using them as the actual malware host are rather staggering. "When a typical outbreak of website compromises occur, there are generally only a few actual malware domains involved" Landesman explains, adding "in the case of Gumblar, conservatively there are at least 2,000 backdoored websites serving as actual malware hosts. As a result, there is no single or few points at which to target efforts to shutdown the source of malware".
According to the latest ScanSafe numbers, Gumblar was responsible for a whopping 29% of all the web malware blocks it saw during October. Gumblar, in case you were wondering, is the collective name for a family of website compromises which are particularly nasty. Using a variety of routes to infection, Gumblar will install traffic sniffers and backdoors on computers, and exploit stolen FTP data to compromise web servers and sites.
During the course of October it began to put a backdoor botnet to use as a malware host, something very rarely seen as botnets are usually used to distribute and attack rather than host malware. To make matters even more worrisome, Gumblar has been dynamically constructing the hosted malware at the time of access to ensure users are delivered different exploits dependent on factors such as browser type for example. Throw in the use of dynamic obfuscation and you start to understand why Gumblar is proving to be such a troublesome beast. Once a Gumblar family exploit has been successfully installed via a visit to a compromised site, it is able to intercept all web traffic in both directions.
"Gumblar is arguably one of the most insidious threats facing both Web surfers and website operators today" Mary Landesman, senior security researcher at ScanSafe, argues "disturbingly, in early November, we detected that the backdoor left in place on the compromised websites by the Gumblar attackers was being leveraged by other groups of attackers meaning that the sites were under their control. This exacerbates the seriousness of the situation".
Landesman admits that the implications of this evolutionary departure from the norm displayed by Gumblar when it comes to installing PHP backdoors on compromised websites and using them as the actual malware host are rather staggering. "When a typical outbreak of website compromises occur, there are generally only a few actual malware domains involved" Landesman explains, adding "in the case of Gumblar, conservatively there are at least 2,000 backdoored websites serving as actual malware hosts. As a result, there is no single or few points at which to target efforts to shutdown the source of malware".
Similar Threads
- "Server Busy"??? Spyware Related? (Viruses, Spyware and other Nasties)
- i can't get rid of this "server busy" virus... (Viruses, Spyware and other Nasties)
- Server busy headache (Viruses, Spyware and other Nasties)
- Server Busy Error When Starting Programs (Viruses, Spyware and other Nasties)
- "Server busy" and adware when connecting to cstrike server (Viruses, Spyware and other Nasties)
- Doctor! checkup please (Viruses, Spyware and other Nasties)
- Palm- file busy and iSync rebuttal (OS X)
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for botnet, exploit, gumblar, malware, security
adobe advertising antivirus apple attack botnet breach browser business cable cellphone china conficker crime cybercrime daniweb data database dataloss development dns domains email encryption exploit facebook firefox flash forensic fraud gmail google government hack hacker hacking hardware idtheft internet iphone kaspersky law leopard linux mac macosx malware mcafee mckinnon microsoft mobile mozilla nasa network news obama os password patch paypal payperclick pdf pentagon phishing politics privacy programming report research safari sans scam search security software sophos spam spyware sqlinjection survey symantec terrorism trademark trends trojan twitter uk usb video virus vista vulnerability warning web webmail windows windows7 worm xp zeroday
