Vacation is a time for visiting friends and family, going abroad, eating ice-cream, gardening – whatever helps you regroup and recharge. Computer security is probably the last thing on your mind, even if you’ve taken your laptop home with you to keep tabs on what’s going on at the office.

But as my colleague Christian pointed out in this article last year, summer often brings some serious security issues. And I’ve got recent further proof of this: just a few weeks ago I was attending our annual security conference at a very classy hotel in Cyprus. Everything seemed perfect – until we connected to the hotel Wi-Fi.

If you’ve ever taken your laptop with you on business or vacation, you’ll know the drill. When you want to connect to the Internet via a hotel network, you get redirected to a site controlled by the hotel’s router. You need to either enter a code provided by the hotel, or your credit card details – all on a site which may or may not be secure.

In Cyprus, we found out that the page you get redirected to when you try and access the Internet was infected with Gumblar. The hotel was lucky to have 30+ security experts staying there – but if we hadn’t been holding our conference there, the site could have stayed infected for quite a while!

Logging on via insecure connections isn’t the only seasonal security issue. People’s computer and online habits change when they’re on holiday – they tend to use their computers less, and in short bursts, just to get the information they need. For instance, you’ll often see people logging on for ten minutes to quickly check email, download maps or details about the places they’re planning to visit, etc.

If you’re quickly checking for some information that you need via GPRS or a slow Wi-Fi connection, you’re probably not going to bother updating your antivirus or installing security patches. You might rationalize your decision (if you even think about it) by telling yourself that you don’t go to dodgy sites which are likely to be hosting malware. But our experience in Cyprus really highlights the fact that malware is everywhere.

Ignoring security patches and antivirus updates while you’re on vacation means that if you log on, you are putting yourself at risk. And when you get back to work after two, three, or even four weeks off, if you haven’t been using your computer, the very first thing you should do is make sure that it’s fully patched, and security software up to date. Of course you want to get to all the funny YouTube links etc. that your colleagues sent while you were away – but update before you start checking your mail or clicking through links and attachments.

Insecure networks, infected sites, and vulnerable software and systems are all technical aspects of IT security. But apart from all the technical stuff, lots of people are giving out far too much information on Facebook, Twitter, and even in their Out Of Office replies. Posting that you’re off to some exotic resort for two weeks is almost an open invitation to burglars and other criminals to come and rifle your property while you’re gone…

Simple tips on how to have a more secure vacation

Before you go

• Don’t write on your social network that you’re going on holiday!
• Make sure you’ve got all the latest security patches installed, including patches for third party applications such as PDF readers, browsers, chat programs, etc.

While you’re away

• Make sure that your antivirus is up to date. You never know what might be lurking on the network!
• Use common sense - don’t enter credit card details or passwords unless it’s essential, and only if you’re confident the network is secure
• If you’re paranoid, disable programs that autostart such as Skype or MSN – you wouldn’t want someone to steal your passwords over an insecure network.

When you get back

Here we are, gathered in Larnaca (Cypus) for the Security Analyst Summit 2010. Beautiful beaches, gorgeous weather - the first thing coming to mind would be jumping into any of the numerous pools or into the sea and have some fun.

WOULD be indeed. However, what came up instead was malware attacks while trying to login to the hotel's Wi-Fi network. Gumblar. It was our dear friend Gumblar, variant .x to be precise.

So... did we hit the beaches? No... we helped the hotel IT staff clean up the mess. Now we are at the beach – finally :-)))))))))

Gumblar malware first appeared in spring 2009. Since then it has attracted a lot of attention of local ISPs in many countries, because it steals FTP credentials and injects malicious links in legitimate content as well as uploading backdoors on compromised servers.

We have already described the general architecture of the Gumblar system here. The only thing which has changed since that time is the number of compromised servers and the additional layer of servers in the infection process chain. The infection process now starts from a legitimate webpage which has an injected <script> tag (such page called an html-redirector) which refers to a server that has php (called a php-redirector) that produces javascript that further redirects the browser. There may be between one and four redirections like this and finally the browser gets the content from the server that’s the actual infector. The last server in the chain has a bundle of exploits which is used to attack Internet users. Recent numbers show how many URLs of different types are in that process:

The numbers above show only a slice of the real picture that we were able to get, which means that the real numbers may be much bigger. At this moment no one has information on how many compromised client machines are in the Gumblar botnet, but we believe it’s more than just the number of compromised servers, because the number of servers represents only the count of infected users that have their own websites and use FTP clients on the infected system.

We counted the total number of Gumblar server backdoors and it currently stands at about 4,460.

The danger from the Gumblar system lies not only in the potentially huge client botnet, but also in the aggregated power of the compromised servers. This is clearly understood by security researchers and ISPs. Many attempts have been made to analyze how big the system is and who stands behind it.

Japan was one of the countries which dedicated a lot of resources to the problem of Gumblar because:

• Japanese servers are in the top 5 in terms of number of infections worldwide;
• 2.there is not as much local malware in Japan as in other countries, so Gumblar - which blindly crosses international borders – quickly gained a lot of attention.

We have been tracking Gumblar from the beginning from our Japanese research lab. In fact, downloading new samples, decoding and unpacking shellcodes and extracting new URLs has become a daily routine for many researchers in Japan, not only us.

Gumblar developers have noticed non-stop activity coming from many Japanese IPs targeting their system. The hard work analysing the threat and the active online data being harvested from Japan resulted in a response from the bad guys. Not so long ago we came across a new variant of the infector script created by the Gumblar developers which verifies where the remote client is coming from. The script uses a free IP-to-country database to locate the country of the client. And if the country turns out to be Japan, the script halts and doesn't attack. Below is the part of the code which implements it:

In the highlighted piece of code, the function ‘gC’ gets the country code of the current client and if this equals ‘111’ (which stands for JP in the IP-to-country database) the code sets the value of the variable ‘$zz’ to 0 which halts the application.

Similar activity has been seen at FTP servers that we are monitoring. Japanese servers are no longer reinfected, while other countries are still under attack (the interval between server reinfections varies from 11 to 33 hours).

Unluckily for the bad guys we are an international team of researchers, so even if they try to ban Japanese IPs - which may limit the number of data harvesters coming from Japan - we still have resources to continue our research from other countries.

Malicious programs targeting the confidential data used to access online banking systems have long been the bane of financial organizations worldwide. Analysts are quick to tell of the many millions of dollars stolen, whilst the victims who have had their accounts plundered complain bitterly about being left high and dry without any compensation.

Number of search results for “stolen+money+bank+Trojan” on Google

The appearance, therefore, of yet another piece of malware designed to relieve the unwary of their money is anything but hot news. It does, however, offer an insight into how the cybercriminals get their hands on your cash.

Gumblar attack

Last spring it became clear that a mass compromise of websites had taken place. The culprit on this occasion was the Gumblar script downloader, which managed to place the vulnerabilities of online security firmly in the spotlight once again. Since then, the distribution system used by Gumblar has become the way-to-go for spreading numerous other malicious programs.

The Gumblar attack cycle. Source: www.digitalthreat.net

Gumblar still remains at the top of our monthly rating and our analysts are still on its case, tracking all the compromised sites. A number of techniques for infecting websites have turned up whilst in the process of monitoring Gumblar, the main one being the use of stolen passwords to access FTP resources. The fact that the same sites have been repeatedly compromised, even after being given the all-clear by their administrators, shows that the cybercriminals are constantly active and that they know rich-pickings when they see it.

We've now analyzed more than 600 MB of collected data related to the recent resurrection of the Gumblar threat. Overall, we've identified 2000+ Infectors (computers hosting the malicious *.php files and payload) and 76100+ 'Redirectors' (computers with links leading back to the malicious sites). Most Infectors are also part of the group of Redirectors, they serve one *.php file and additionally contain the link to another Infector in their own entry page.

(If you're interested in the structure of the Gumblar threat, my colleague Vitaly gives more details here)

Comparing the stats below with those from a month ago, you can see how the threat has spread and evolved. These latest numbers are a snapshot of November 30th and are continuing to increase steadily.

We've been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.

Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.

The malicious code injection in HTML pages (which is a simple insertion of <script> tag in every file having HTML) was done by downloading all files from the server that could have HTML, changing them and uploading back. We call the websites modified in this way “redirectors”, because they simply redirect browsers to the website spreading malware.

The injected script refers to another website hosting exploits and registering all attacked clients. These websites have to support php, because the backend is implemented in php. We call these websites infectors, because they host the exploits and malicious executable file for Windows. The malicious Windows executable is pushed when the attack is successful. The executable waits for the user to enter FTP credentials.

We've been able to find where the server code for redirectors and infectors websites was coming from. And we've found an additional tier of infrastructure - a set of compromised websites which we call “injectors”. These websites host a generic php backdoor which lets the owner execute any php code on the webserver.

As expected, we can confirm more compromised machines. Our current count looks as follows:

7798    UNITED STATES
1765    INDIA
1332    ARGENTINA
1244    TURKEY
1094    RUSSIAN FEDERATION
1084    GERMANY
968      SPAIN
950      ISLAMIC REPUBLIC OF IRAN
881      REPUBLIC OF KOREA
878      MOROCCO
822      CANADA
815      PERU
792      JAPAN
712      THAILAND
689      AUSTRIA
678      ROMANIA
655      POLAND
654      ISRAEL
628      SWEDEN
599      ITALY

These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer's environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.

Around October 20th we received mails from our office in Turkey about the "possible spread of a new virus". And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when 'gumblar' was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed - we identified more than 202 locations.

The following is a TOP 20 list of countries with 'injected' hosts who point to these malicious URLs:

7271    UNITED STATES*
704      RUSSIAN FEDERATION
675      REPUBLIC OF KOREA
619      ISLAMIC REPUBLIC OF IRAN
540      TURKEY
510      GERMANY
499      INDIA
487      JAPAN
400      THAILAND
382      POLAND
379      BRAZIL
345      ARGENTINA
298      CZECH REPUBLIC
187      HUNGARY
182      BELGIUM
173      ITALY
163      ROMANIA
159      UKRAINE
157      FRANCE
117      VIET NAM

*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.