May 4, 2010, 12:04PM
Gumblar Botnet Shifts Tactics
Comment 
The criminals behind the Gumblar botnet and malware campaign have been adapting their techniques, as attackers are wont to do, in order not only to evade detection but to prevent researchers from downloading and analyzing new versions of the malware.
A new analysis of the recent activity by Gumblar shows that the current version (or one of the current versions) has a new piece of functionality that checks to see what country a newly infected machine is located in during the initial infection routine. The goal of the bad guys in implementing this check is to prevent Gumblar from infecting any new machines in Japan, where researchers have been quite diligent about finding and taking apart pieces of the Gumblar network.
Gumblar has been infecting servers and PCs for more than a year now, with a high rate of success. The new change of direction by the attackers show that they're not content to stand still.
Editor's Pick
Gumblar developers have noticed non-stop activity coming from many Japanese IPs targeting their system. The hard work analysing the threat and the active online data being harvested from Japan resulted in a response from the bad guys. Not so long ago we came across a new variant of the infector script created by the Gumblar developers which verifies where the remote client is coming from. The script uses a free IP-to-country database to locate the country of the client. And if the country turns out to be Japan, the script halts and doesn't attack. Below is the part of the code which implements it:
Gumblar script
The new research, by Vitaly Kamluk of Kaspersky's Japanese office, found that the complex Gumblar network now comprises at least 4,460 backdoored servers. That's a rather large number of servers, any way you slice it, and a fraction of that number would be plenty to put together a pretty large client botnet.
"At this moment no one has information on how many compromised client machines are in the Gumblar botnet, but we believe it’s more than just the number of compromised servers, because the number of servers represents only the count of infected users that have their own websites and use FTP clients on the infected system," Kamluk wrote.
Commenting on this Article is closed.
Today's Most Popular
- Yahoo Includes Private Key in Source File For Axis Chrome Extension
- Researchers Unveil New Way to Trust Certificates
- FBI Warns Top Firms Of Anonymous Protest Hacks on May 25
- DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S.
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
Most Commented Stories
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (10)
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (14)
-
Facebook Cancellation Malware Disguised As Adobe Update Making Rounds (3)
-
HULK DDoS Tool Smash Web Server, Server Fall Down (4)
-
DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S. (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 70
Follow Threatpost
 |  |  |  |
| Tumblr |
