Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches
Malware scripts morph from site to site, and even from page to page, within the same site, ScanSafe researchers say
By Tim Wilson, DarkReading, May 14, 2009
A Web-borne malware attack that redirects users' Internet searches is growing "exponentially," and has already infected more than 2,300 Websites, researchers said today.
Researchers at security company ScanSafe are warning users about an emerging series of Website compromises, collectively dubbed "Gumblar," which are spreading at a rapid rate. In the past week, Gumblar site compromises have grown at a rate of 188 percent, making it one of the fastest-growing infections on the Web, ScanSafe says.
"It should be waning by now, but it isn't," says Mary Landesman, senior security researcher at ScanSafe. "It just keeps spreading."
Gumblar, which has been spotted on popular sites such Tennis.com, Variety.com, and Coldwellbanker.com, is believed to be growing rapidly due to its unique combination of characteristics. The malware resulting from Gumblar forcibly redirects search page results to sites other than those users expect. Many of these pages are imitations of the Websites users actually intended to visit.
"For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," ScanSafe reports. "The Trojan could then allow cybercriminals control of the victim's computer, leading to a myriad of security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise -- a common malware propagation tactic."
One of Gumblar's exploits is to launch a "man-in-the-browser attack," in which the downloaded malware monitors all traffic to and from the browser, Landesman says. From this position, the malware can selectively swap out links in search results, effectively fooling the user into going to an unintended site.
Landesman speculates that Gumblar might be operating as a "botnet for hire," achieving different ends for different "clients." In many cases, the attack seems to be facilitating click fraud, in which the criminal simply redirects Web traffic to a fraud site in order to collect page views and advertising revenue. In other cases, Gumblar is routing users to malicious sites that might load additional malware onto the user's machine.
"A third potential exploit, which we haven't seen yet, is to redirect users from e-commerce or banking sites for the purpose of fraud, like a traditional phishing attack," Landesman says.
Gumblar is difficult to detect because its scripts vary from site to site, and even from page to page, Landesman says. "The cybercriminals responsible for Gumblar have learned to morph its features quickly," Landesman says. "This, coupled with Gumblar's other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we've seen."
The rapidly changing nature of the attack also makes it difficult for traditional signature detection or blacklisting tools to block, Landesman says. "If you were an individual user, I'd just tell you to disable JavaScript," she says. "But that's not possible for most businesses to do."
ScanSafe is attacking the problem via Web filtering, essentially preventing the user from going to the Gumblar sites and being infected in the first place, Landesman says. "Prevention is really the only workable defense because once you've been infected and your FTP credentials have been stolen, the criminal can modify passwords and make it difficult for you to get control back," she says.
The Gumblar Website, which dishes out the malware, is going to be difficult to find and bring down, Landesman says. While the site itself has a Chinese registry (Gumblar.cn), its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K. "The criminals are doing a really good job of hiding their actual location," she says.
ScanSafe has posted blogs on its Website that describe the malware and its potential effects on enterprises and end users. The company will continue to post updates as the attack spreads, Landesman says.