A new malware attack is setting infection records and raising red
flags throughout the security industry. Called ‘Gumblar’, the malware
uses prolific attack methods and carries a dangerous payload.
Researchers say that the attack spreads by compromising
websites and injecting malicious JavaScript code into certain
components of the site. A potential victim runs the risk of being hit
with the JavaScript attack simply by visiting the infected websites.
Once a site is compromised, the malware changes access
credentials and folder permissions in order to allow an attacker a
‘back door’ to the site even when passwords are changed. The malicious
code is also slightly changed, preventing administrators from
automatically searching for and deleting the scripts.
Because the infection is so hard to dispose of, researchers say
that Gumblar has been a lot more successful than previous malware
attacks. First detected in late March, researchers thought that the
attacks had been halted last month when Google delisted the offending
sites. But a new variant of the attack cropped up earlier this month
and has been spreading rapidly. ScanSafe estimates that Gumblar attacks
have jumped by 188 percent in the last week alone, and Sophos credits
Gumblar with up to 42 percent of all malware infections in the past
seven days.
Gumblar’s payload is also said to be extremely dangerous. One
analyst said that the malware intercepts web traffic such as Google
search requests, and redirects it to fraudulent results. This allows
attackers to collect referral fees, and places the user at risk of
further infection.
The malware also contains botnet controllers and is programmed
to collect all FTP permissions on the infected systems, allowing
Gumblar to infect any sites that the user administers, further
fostering the spread to new domains.
Leave a Reply
You must be logged in to post a comment.