The latest large-scale malware outbreak to hit the Web, known variously as Gumblar and Geno and Martuz, is a multi-stage attack that not only infects compromised machines with a number of separate pieces of malware but also has the ability to steal credentials and block the victim from taking actions to clean his PC.
The Gumblar attack, for all its sophistication, still relies on the basic drive-by download technique to infect machines, and it’s been wildly successful in that endeavor. Some estimates have Gumblar responsible for more than 40% of all Web site infections, and ScanSafe, which has been following the attack, has seen huge increases in the number of infected sites throughout this week. The only good news appears to be that the Chinese domains controlling the infections are down for the time being.
Andrew Martin, a corporate security specialists who writes a technical security blog, has done a lab analysis of Gumblar and came up with a detailed deconstruction of the malware’s behavior and capabilities. In short, Gumblar is 100 miles of bad road.
After infecting a machine, Gumblar installs a series of malware programs, including a small application capable of stealing FTP credentials, as well as the ever-popular spambot to turn the PC into a mail relay. Gumblar also installs a fake antivirus program known as System Security 2009, and disables whatever legitimate security software the user has installed on the machine.
But the real fun is in the hijacked search results. As Martin points out, Gumblar installs a proxy on TCP port 7171 that redirects search queries. So an infected user searching for information on a restaurant might get an attacker-generated results page full of bogus links.
While the main domains controlling the attack seem to have been taken offline, there are still dozens of other domains involved. Martin has an extensive list of the secondary domains involved with Gumblar.