Gumblar, the nasty bit of malware that was part of a mass SQL injection on legitimate Web sites this spring, is continuing to spread and its creators have been busy lately, compromising hundreds of new sites, leading to a massive new wave of infections of end-user PCs.
Gumblar first hit the scene in April, showing up as the latest in a series of similar attacks in which hackers use a variety of techniques–most often SQL injection–to compromise legitimate Web sites. They then either plant malware on the site’s back end server or use an iFrame or other technique to redirect visitors to a remote server. In Gumblar’s case, the iFrame redirection is the tactic of choice and it has been quite effective.
In its original form Gumblar was redirecting victims to one of two remote sites, Gumblar.cn or Martuz.cn. The latest incarnation is pointing victims to thousands of servers in more than 200 countries that are now spreading Gumblar, according to research by Michael Molsner of Kaspersky Lab. More than 7,200 servers spreading Gumblar are in the U.S., and many of the sites compromised around the globe are in the .gov and .edu domains.
Our accumulated data for one week
showed 443748 access hits in total – and that is only a part of the
whole incident. For several days after we noticed this new threat and
added detection of the malicious files targeting Adobe Reader and Flash
Player, there was surprisingly little talk about it in IT security
circles. The ‘new gumblar’ took some time to get noticed more widely
and _still_ seems unnoticed by many. However, it is very active indeed
and as a side effect several PC vendors support lines have been flooded
with queries about sudden reboots etc. There are also reports that
machines infected with a buggy version of gumblar fail to boot
completely, leaving the screen black and only the mouse pointer visible.
Experts say that many of the machines that have been infected with Gumblar and other similar pieces of malware often are re-infected once they’ve been cleaned as users don’t realize that their browsers are vulnerable and that the seemingly safe sites they’re visiting are in fact serving malware.