It looks like the group behind the Gumblar mass Web-site infections is beginning to get serious about making some money from all of the servers that the attacks have compromised in the last 18 months. The group has begun using some of its compromised servers in spam operations that are pushing the usual array of male ego-boosters: Viagra and fake watches.
The Gumblar attacks have been ongoing since early 2009 and are thought to be responsible for the compromise of hundreds of thousands of legitimate Web sites since then. The attacks have come in a couple of different waves and researchers have been watching them closely since the beginning, but the one thing that’s been missing is any discernible method for making money from the campaign.
But that seems to be changing.
Recently, researchers have begun to see indications that some of the sites involved in the Gumblar attacks are now being used in spam runs selling fake Viagra and knockoff Rolexes and Omegas. In these cases, the spam messages point recipients to Web stores that contain a link to a malicious site housing the Gumblar attack code. At that point, the user is victimized by the classic Gumblar attack, which tries to exploit a weakness in Adobe Reader or another popular application to download malicious code onto the user’s machine.
“So basically an unsuspecting (and unprotected) user who will click
these links in their mail will experience a typical ‘gumblar-attack’
while browsing a pill catalog. The recent peak of such hybrid attacks
may be a sign that the cybercriminal(s) who’ve been slowly but surely
growing the Gumblar botnet worldwide, and who up until now have been
keen to fly under the radar, are now starting to monetize it. The first
test runs of mixed pharmacy/gumblar pages were actually identified by
our experts as early as April 2010, when we noticed a few mails of this
kind, with subjects like ‘Twitter 61-213,'” Michael Molsner, a malware researcher in Kaspersky Lab’s Japanese office, said in a blog post on the Gumblar attack.
“On further investigation of the involved servers, it turned out that
plenty of them have additional malicious code injected directly into
their www root. We counted mostly gumblar.x but also some ‘pegel.*’ and
other obfuscated code containing iframers or other redirectors.”
Most of the other botnets and mass code-injection attacks that have popped up in the last couple of years have had fairly clear methods for making money, whether it’s renting portions of the botnet to other attackers, stealing and selling online banking credentials or selling access to compromised servers inside a specific network. But the Gumblar malware campaign has been the anomaly in that group, quietly going about the business of owning as many Web and FTP servers as possible.
The fact that the crew is now using some of the servers as part of a malicious pharma spam campaign may signal a new phase of Gumblar’s evolution.