On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks. Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks).
Gumblar: malicious sites blocked by MessageLabs
Some general statistics
• Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains
• Originally the malware was served up via a malicious site called gumblar.cn in April 2009, and the threat was named after that. Subsequently the same malware has appeared on thousands of domains, some set up with malicious intent to infect visitors, and some legitimate sites that have been compromised/changed so that they serve malware to unsuspecting visitors.
• The most commonly blocked top-level domain for Gumblar is .com (48 percent), and most of these are legit compromised sites.
• The next most common ones are .co.uk with 5 percent and .net with 5 percent.
Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services
Infection of Interent Users
Visitors to an infected site will be redirected to an alternative site containing further malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
How does the Gumblar threat fit with other threats that are being blocked? We see a huge variety of different threat names. The names that have accounted for 95 percent of blocks in 2010 so far, are categorized into groups below.
In January, Gumblar sits in a group of threats that is a lot less common than actual blocks of Trojan downloads/sites. Many of the blocks that are labeled Trojans, could be Gumblar-infected sites leading to a site which attempts to download a Trojan, which is then blocked. In November, Gumblar was so active it would have been featured much higher in this table, with at least 20 percent of blocks in November.
The large group labelled “unknown/other” is a variety of different threats, most, if not all, of which are Trojan threats. Rogue AV and sites that sell fake AV protection software are becoming increasingly popular as are phish sites. Bredolab, another type of Trojan, is a utility Trojan much like Conficker/Downadup and is not designed for a specific task. Rather, it’s designed simply to gain control of the victim’s PC, which can later be used by the attacker or the control can be sold to others, in order to install specific malware like a botnet or keylogger.