I just had a Jaws moment. You know, you think it is safe to go back in the water and then a bloody great shark bites your legs off. Except in this case you can replace the sea with the Internet and the shark with the equally dangerous Gumblar.
According to the latest ScanSafe numbers, Gumblar was responsible for a whopping 29% of all the web malware blocks it saw during October. Gumblar, in case you were wondering, is the collective name for a family of website compromises which are particularly nasty. Using a variety of routes to infection, Gumblar will install traffic sniffers and backdoors on computers, and exploit stolen FTP data to compromise web servers and sites.
During the course of October it began to put a backdoor botnet to use as a malware host, something very rarely seen as botnets are usually used to distribute and attack rather than host malware. To make matters even more worrisome, Gumblar has been dynamically constructing the hosted malware at the time of access to ensure users are delivered different exploits dependent on factors such as browser type for example. Throw in the use of dynamic obfuscation and you start to understand why Gumblar is proving to be such a troublesome beast. Once a Gumblar family exploit has been successfully installed via a visit to a compromised site, it is able to intercept all web traffic in both directions.
"Gumblar is arguably one of the most insidious threats facing both Web surfers and website operators today" Mary Landesman, senior security researcher at ScanSafe, argues "disturbingly, in early November, we detected that the backdoor left in place on the compromised websites by the Gumblar attackers was being leveraged by other groups of attackers meaning that the sites were under their control. This exacerbates the seriousness of the situation".
Landesman admits that the implications of this evolutionary departure from the norm displayed by Gumblar when it comes to installing PHP backdoors on compromised websites and using them as the actual malware host are rather staggering. "When a typical outbreak of website compromises occur, there are generally only a few actual malware domains involved" Landesman explains, adding "in the case of Gumblar, conservatively there are at least 2,000 backdoored websites serving as actual malware hosts. As a result, there is no single or few points at which to target efforts to shutdown the source of malware".