Gumblar Malware Active Again!

ScanSafe researchers see a renewed activity of Gumblar. It has crashed thousands of websites and blogs like WordPress, Drupal, Joomla and other PHP platforms. Gumblar is a multifunctional malware that spread through attacking PCs while visiting hacked Web pages. It can steal FTP (File Transfer Protocol) credentials and also hijack Google searches which replace results on infected computers with links to other malicious sites. Gumblar malware was first seen last May 2009.

The backdoor script being used to infect legitimate websites has been causing crash to some WordPress blogs and other PHP-based sites. Websites infected with Gumblar contain an iframe – a way to bring content from one web site into another. Those iframes are made invisible by the malware writers. If the victim visits the site, the iframe will start a series of exploits hosted on a remote computer to try and hack the visiting machine.

Gumblar checks to see if the victim’s PC is running unpatched versions of Adobe Systems’ Reader and Acrobat programs. If so, the machine will be compromised by a so-called drive-by download. In this way, Gumblar will infect visitors with variety of online attacks. Users experience error messages while using WordPress and other PHP-based sites which are generated because of a bug in the Gumblar’s malicious code injected in the sites warning the site owners that their site is infected.

Usually, domain names that have been used for malicious purposes are being suspended by domain name registrars. Like what happened to gumbler.cn, where Gumblar got its name, the time that it came out in May of this year. Since those domains are blacklisted, malware writers usually change domains their software looks to for instructions. But for some reason, the gumblar.cn domain was now released and is in use again. The botnet will begin infecting computers again.

Dennis Sinegubko, independent security researcher, discovered that it was really Gumblar’s fault. The authors made some changes to their web code resulting to the current version of Gumblar damaging WordPress blogs and other websites.

According to Landesman, web sites that are still infected with Gumblar can now call back to the newly activated domain allowing those infected PCs to be updated with new malware.

Gumblar is active again! Gumblar has crashed thousands of blogs and websites like WordPress, Drupal, Joomla and other PHP-based sites. It can attack your PC and steals personal information from you. Protect your PC now before any online attacks like Gumblar do the damage, contact Techie Now. We can provide the PC support services you need – virus and spyware removal, performance optimization, installation and configuration, and general repair. Worry no more, Techie Now can help you secure your PC.

You May Also Like