Gumblar

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 19, 2009
Notification Version: 1.1
   
Name: Gumblar
Aliases: GENO (Japan)
Classification(s): malware
Description:

Gumblar is a botnet that infects Web servers and  infected Web site visitors for the purposes of installing malcode  on Personal Computers (PCs) that redirects end-user Google searches to fraudulent Web sites.
Researchers: John Kuhn and Chris Ahearn

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 various 
Proventia Desktop
Proventia Server IPS (Windows)		 various
Propagation Techniques ISS Protection Available

Web site compromises
 
 
 
 

PC exploits launched from compromised Web sites
 
 
 
 
 
 
 
 
 

 
 

 
 

Malware

Proventia Web application security and the IPS signatures that underpin this technology can help protect your Web site from being compromised by users that have not stolen Web administration credentials. (The malware installed by Gumblar malware attempts to steal FTP login credentials, which wouldn't be caught by monitoring network traffic.)

After compromising a Web site, the attackers set up links and scripts that attempt to exploit Web site visitors through malicious PDFs and movies.  Although many of these exploits may be obfuscated, some of them have been and could continue to be detected by the following IPS signatures:
PDF_JavaScript_Exploit
PDF_Obfuscated_Stream
PDF_Encoded_JavaScript_Tag
PDF_JavaScript_Hex
PDF_JavaScript_Detected
PDF_Shellcode_Detected
Multimedia_File_Overflow
JavaScript_Obfuscation_Rue (PDF obfuscation)
Swf_Suspicious_ActionScript (Flash obfuscation)

If the client-side exploit bypasses IPS, we have seen the malware (that redirects the searches) trigger the UPX_Packed signature.

Proventia-M Troj/JSRedir-R (malware on infected Web sites) and Troj/Daonol-Fam and Troj/PDFEx-AZ (malware downloaded to endpoints)
Proventia Desktop Exploit.PDF-JS.Gen

 2008 through 2009

Detailed Description
Business Impact:

Endpoints (PCs) are the primary target of Gumblar.   Infection means complete compromise of infected Web sites and PCs that they subsequently help to infect.  Successful attacks may lead to exposure of confidential information, loss of productivity, and further compromise.

Affected Platforms:

The malware affecting PCs targets prevalent Microsoft platforms:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003 
Description:

Gumblar is the name of a growing botnet that compromises traditionally non-malicious Web servers in order to exploit Personal Computers (PCs) that visit those Web sites.  Malware that redirects Google searches is planted on the target PC, which provides the attackers with "pay-per-click" or possibly other types of income.  The malware also looks for FTP credentials on the PC and may use them to compromise additional Web sites.

Compromised Web sites do not appear to host malware or exploits, but instead host links and redirects to malicious servers elsewhere.  One of the original servers used the domain gumblar.cn, which changed to martuz.cn and will likely change, again.

References
ScanSafe: http://blog.scansafe.com/
Unmask Parasites Blog: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

Revision History
1.0 Initial publication.
1.1 Added new coverage information.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.