31 Aug Gumblagra and a piano Michael
22 Jul How does your vacation affect your security? David Jacoby
01 Jun Gumblar at Lemesos Michael
04 May Gumblar: Farewell Japan VitalyK
19 Mar Lock, stock and two smoking Trojans: bank robbery in the 21st century Sergey Golovanov
04 Dec Gumblar infection count Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Since the beginning of August, our Japan office has seen 900+ mails of a certain kind in their spam traps.
We noticed two common patterns in all of the mail. First, the links in these spammed messages all point to compromised servers. Also, the file names of the redirectors are all dictionary words followed by two digits. The files redirect the users to online pharmacy sites and fake watch stores. Here is a screen capture of a directory hosted on one of these online sites:
You might wonder why this caught our attention. The answer is simple: about half of these files contained links to 'gumblar.x' servers.
The upper red link points to a pharmacy site, the lower one is a gumblar.x URL.
So basically an unsuspecting (and unprotected) user who will click these links in their mail will experience a typical 'gumblar-attack' while browsing a pill catalog. The recent peak of such hybrid attacks may be a sign that the cybercriminal(s) who’ve been slowly but surely growing the Gumblar botnet worldwide, and who up until now have been keen to fly under the radar, are now starting to monetize it. The first test runs of mixed pharmacy/gumblar pages were actually identified by our experts as early as April 2010, when we noticed a few mails of this kind, with subjects like "Twitter 61-213".
On further investigation of the involved servers, it turned out that plenty of them have additional malicious code injected directly into their www root. We counted mostly gumblar.x but also some 'pegel.*' and other obfuscated code containing iframers or other redirectors.
Additionally, almost ALL of these domains contained a link to 'hxxp://nuttypiano.com/*.js' at the end of the file.
There are more than 300 different .js files in circulation on such servers, the content of these is obfuscated and similar to known 'pegel' threats. To make our researchers' task more difficult, the malicious code will only be sent once to the same IP address. However, we have managed to download several samples from the same locations and identified polymorphic-like structures.
These are redirecting to other :8080 locations, which in turn try to push more malware onto the victim's machine.
Here is a quick summary of such injected sites, sorted by country: #1 is the US, followed by FR, DE, TR and JP. Affected webmasters should consider changing their compromised ftp credentials, clean the machines which led to the leak, and investigate their server logs for more details.
Vacation is a time for visiting friends and family, going abroad, eating ice-cream, gardening – whatever helps you regroup and recharge. Computer security is probably the last thing on your mind, even if you’ve taken your laptop home with you to keep tabs on what’s going on at the office.
But as my colleague Christian pointed out in this article last year, summer often brings some serious security issues. And I’ve got recent further proof of this: just a few weeks ago I was attending our annual security conference at a very classy hotel in Cyprus. Everything seemed perfect – until we connected to the hotel Wi-Fi.
If you’ve ever taken your laptop with you on business or vacation, you’ll know the drill. When you want to connect to the Internet via a hotel network, you get redirected to a site controlled by the hotel’s router. You need to either enter a code provided by the hotel, or your credit card details – all on a site which may or may not be secure.
In Cyprus, we found out that the page you get redirected to when you try and access the Internet was infected with Gumblar. The hotel was lucky to have 30+ security experts staying there – but if we hadn’t been holding our conference there, the site could have stayed infected for quite a while!
Logging on via insecure connections isn’t the only seasonal security issue. People’s computer and online habits change when they’re on holiday – they tend to use their computers less, and in short bursts, just to get the information they need. For instance, you’ll often see people logging on for ten minutes to quickly check email, download maps or details about the places they’re planning to visit, etc.
If you’re quickly checking for some information that you need via GPRS or a slow Wi-Fi connection, you’re probably not going to bother updating your antivirus or installing security patches. You might rationalize your decision (if you even think about it) by telling yourself that you don’t go to dodgy sites which are likely to be hosting malware. But our experience in Cyprus really highlights the fact that malware is everywhere.
Ignoring security patches and antivirus updates while you’re on vacation means that if you log on, you are putting yourself at risk. And when you get back to work after two, three, or even four weeks off, if you haven’t been using your computer, the very first thing you should do is make sure that it’s fully patched, and security software up to date. Of course you want to get to all the funny YouTube links etc. that your colleagues sent while you were away – but update before you start checking your mail or clicking through links and attachments.
Insecure networks, infected sites, and vulnerable software and systems are all technical aspects of IT security. But apart from all the technical stuff, lots of people are giving out far too much information on Facebook, Twitter, and even in their Out Of Office replies. Posting that you’re off to some exotic resort for two weeks is almost an open invitation to burglars and other criminals to come and rifle your property while you’re gone…
Simple tips on how to have a more secure vacation
Before you go
While you’re away
When you get back
Here we are, gathered in Larnaca (Cypus) for the Security Analyst Summit 2010. Beautiful beaches, gorgeous weather - the first thing coming to mind would be jumping into any of the numerous pools or into the sea and have some fun.
WOULD be indeed. However, what came up instead was malware attacks while trying to login to the hotel's Wi-Fi network. Gumblar. It was our dear friend Gumblar, variant .x to be precise.
So... did we hit the beaches? No... we helped the hotel IT staff clean up the mess. Now we are at the beach – finally :-)))))))))
Gumblar malware first appeared in spring 2009. Since then it has attracted a lot of attention of local ISPs in many countries, because it steals FTP credentials and injects malicious links in legitimate content as well as uploading backdoors on compromised servers.
The numbers above show only a slice of the real picture that we were able to get, which means that the real numbers may be much bigger. At this moment no one has information on how many compromised client machines are in the Gumblar botnet, but we believe it’s more than just the number of compromised servers, because the number of servers represents only the count of infected users that have their own websites and use FTP clients on the infected system.
We counted the total number of Gumblar server backdoors and it currently stands at about 4,460.
The danger from the Gumblar system lies not only in the potentially huge client botnet, but also in the aggregated power of the compromised servers. This is clearly understood by security researchers and ISPs. Many attempts have been made to analyze how big the system is and who stands behind it.
Japan was one of the countries which dedicated a lot of resources to the problem of Gumblar because:
We have been tracking Gumblar from the beginning from our Japanese research lab. In fact, downloading new samples, decoding and unpacking shellcodes and extracting new URLs has become a daily routine for many researchers in Japan, not only us.
Gumblar developers have noticed non-stop activity coming from many Japanese IPs targeting their system. The hard work analysing the threat and the active online data being harvested from Japan resulted in a response from the bad guys. Not so long ago we came across a new variant of the infector script created by the Gumblar developers which verifies where the remote client is coming from. The script uses a free IP-to-country database to locate the country of the client. And if the country turns out to be Japan, the script halts and doesn't attack. Below is the part of the code which implements it:
In the highlighted piece of code, the function ‘gC’ gets the country code of the current client and if this equals ‘111’ (which stands for JP in the IP-to-country database) the code sets the value of the variable ‘$zz’ to 0 which halts the application.
Similar activity has been seen at FTP servers that we are monitoring. Japanese servers are no longer reinfected, while other countries are still under attack (the interval between server reinfections varies from 11 to 33 hours).
Unluckily for the bad guys we are an international team of researchers, so even if they try to ban Japanese IPs - which may limit the number of data harvesters coming from Japan - we still have resources to continue our research from other countries.
Malicious programs targeting the confidential data used to access online banking systems have long been the bane of financial organizations worldwide. Analysts are quick to tell of the many millions of dollars stolen, whilst the victims who have had their accounts plundered complain bitterly about being left high and dry without any compensation.
Number of search results for “stolen+money+bank+Trojan” on Google
The appearance, therefore, of yet another piece of malware designed to relieve the unwary of their money is anything but hot news. It does, however, offer an insight into how the cybercriminals get their hands on your cash.
Last spring it became clear that a mass compromise of websites had taken place. The culprit on this occasion was the Gumblar script downloader, which managed to place the vulnerabilities of online security firmly in the spotlight once again. Since then, the distribution system used by Gumblar has become the way-to-go for spreading numerous other malicious programs.
The Gumblar attack cycle. Source: www.digitalthreat.net
Gumblar still remains at the top of our monthly rating and our analysts are still on its case, tracking all the compromised sites. A number of techniques for infecting websites have turned up whilst in the process of monitoring Gumblar, the main one being the use of stolen passwords to access FTP resources. The fact that the same sites have been repeatedly compromised, even after being given the all-clear by their administrators, shows that the cybercriminals are constantly active and that they know rich-pickings when they see it.
We've now analyzed more than 600 MB of collected data related to the recent resurrection of the Gumblar threat. Overall, we've identified 2000+ Infectors (computers hosting the malicious *.php files and payload) and 76100+ 'Redirectors' (computers with links leading back to the malicious sites). Most Infectors are also part of the group of Redirectors, they serve one *.php file and additionally contain the link to another Infector in their own entry page.
(If you're interested in the structure of the Gumblar threat, my colleague Vitaly gives more details here)
Comparing the stats below with those from a month ago, you can see how the threat has spread and evolved. These latest numbers are a snapshot of November 30th and are continuing to increase steadily.
We've been looking at the infrastructure of the Gumblar malware and found some curious facts on how Gumblar operates which we would like to share to make hosting owners aware of the Gumblar threat.
Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files.
The malicious code injection in HTML pages (which is a simple insertion of <script> tag in every file having HTML) was done by downloading all files from the server that could have HTML, changing them and uploading back. We call the websites modified in this way “redirectors”, because they simply redirect browsers to the website spreading malware.
The injected script refers to another website hosting exploits and registering all attacked clients. These websites have to support php, because the backend is implemented in php. We call these websites infectors, because they host the exploits and malicious executable file for Windows. The malicious Windows executable is pushed when the attack is successful. The executable waits for the user to enter FTP credentials.
We've been able to find where the server code for redirectors and infectors websites was coming from. And we've found an additional tier of infrastructure - a set of compromised websites which we call “injectors”. These websites host a generic php backdoor which lets the owner execute any php code on the webserver.
As expected, we can confirm more compromised machines. Our current count looks as follows:
7798 UNITED STATES
1094 RUSSIAN FEDERATION
950 ISLAMIC REPUBLIC OF IRAN
881 REPUBLIC OF KOREA
These numbers stand for unique hosts, some of them contain several user directories etc. which means that the real count is much higher than shown here. As mentioned before, each of these hosts are spreading a set of malicious files which are sent to a user depending on the computer's environment. We used the site www.virustotal.com to confirm current detection status of 41 AntiVirus Vendors who participate on that site. The result showed that currently only 3 out of 41 vendors detect the malicious *.php file which is injected at above locations. The malicious *.pdf file scored with 4/41 and the flash content was detected by 3 out of 41 vendors. However, the main executable payload was detected by 33 vendors. Of course, these malicious files can be changed at any time by the criminals who operate this scheme. We are closely monitoring further development in order to protect our users as fast as possible.
Around October 20th we received mails from our office in Turkey about the "possible spread of a new virus". And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when 'gumblar' was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed - we identified more than 202 locations.
The following is a TOP 20 list of countries with 'injected' hosts who point to these malicious URLs:
7271 UNITED STATES*
704 RUSSIAN FEDERATION
675 REPUBLIC OF KOREA
619 ISLAMIC REPUBLIC OF IRAN
298 CZECH REPUBLIC
117 VIET NAM
*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.