Gumblar

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: May 19, 2009
Notification Version: 1.1
   
Name: Gumblar
Aliases: GENO (Japan)
Classification(s): malware
Description:

Gumblar is a botnet that infects Web servers and  infected Web site visitors for the purposes of installing malcode  on Personal Computers (PCs) that redirects end-user Google searches to fraudulent Web sites.
Researchers: John Kuhn and Chris Ahearn

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 various 
Proventia Desktop
Proventia Server IPS (Windows)		 various
Propagation Techniques ISS Protection Available

Web site compromises
 
 
 
 

PC exploits launched from compromised Web sites
 
 
 
 
 
 
 
 
 

 
 

 
 

Malware

Proventia Web application security and the IPS signatures that underpin this technology can help protect your Web site from being compromised by users that have not stolen Web administration credentials. (The malware installed by Gumblar malware attempts to steal FTP login credentials, which wouldn't be caught by monitoring network traffic.)

After compromising a Web site, the attackers set up links and scripts that attempt to exploit Web site visitors through malicious PDFs and movies.  Although many of these exploits may be obfuscated, some of them have been and could continue to be detected by the following IPS signatures:
PDF_JavaScript_Exploit
PDF_Obfuscated_Stream
PDF_Encoded_JavaScript_Tag
PDF_JavaScript_Hex
PDF_JavaScript_Detected
PDF_Shellcode_Detected
Multimedia_File_Overflow
JavaScript_Obfuscation_Rue (PDF obfuscation)
Swf_Suspicious_ActionScript (Flash obfuscation)

If the client-side exploit bypasses IPS, we have seen the malware (that redirects the searches) trigger the UPX_Packed signature.

Proventia-M Troj/JSRedir-R (malware on infected Web sites) and Troj/Daonol-Fam and Troj/PDFEx-AZ (malware downloaded to endpoints)
Proventia Desktop Exploit.PDF-JS.Gen

 2008 through 2009

Detailed Description
Business Impact:

Endpoints (PCs) are the primary target of Gumblar.   Infection means complete compromise of infected Web sites and PCs that they subsequently help to infect.  Successful attacks may lead to exposure of confidential information, loss of productivity, and further compromise.

Affected Platforms:

The malware affecting PCs targets prevalent Microsoft platforms:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003 
Description:

Gumblar is the name of a growing botnet that compromises traditionally non-malicious Web servers in order to exploit Personal Computers (PCs) that visit those Web sites.  Malware that redirects Google searches is planted on the target PC, which provides the attackers with "pay-per-click" or possibly other types of income.  The malware also looks for FTP credentials on the PC and may use them to compromise additional Web sites.

Compromised Web sites do not appear to host malware or exploits, but instead host links and redirects to malicious servers elsewhere.  One of the original servers used the domain gumblar.cn, which changed to martuz.cn and will likely change, again.

References
ScanSafe: http://blog.scansafe.com/
Unmask Parasites Blog: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

Revision History
1.0 Initial publication.
1.1 Added new coverage information.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.