Gumblar – Malware

A very serious malware has surfaced in the internet and it proves to be very dangerous and malicious than the previous versions of similar malwares. The simple reason being it sends spam, sniffs ftp login details, overwrites .htaccess files to hijack your search engine results of your website and disables essential security software.
When users visit a site that is infected with this malware, it installs itself in the visitors machine and starts acting on it own.
Sniffing FTP Login Details
——————–
This is very dangerous and malicious part of the malware function. It sniffs the ftp logins that are used by the infected systems to upload their contents. It then sends the sniffed login details to the remote attacker. Once the ftp logins are received the remote attacker starts uploading perl files [.pl], .cgi files, .js files, .php files, .htm files which contain injected iframe or malware redirection coding. Previously these coding were evident while viewing the source of the file. But of late, they have started insterting malicious code as ascii numbers or hexas so that a noivce developer will not notice quickly.
This type of injection cannot be scanned any anti-virus software as it wont be active unless it is view from a website.
This is also injected to a website directly without ftping via sql injection or vulnerable include files that have full write permission etc. Also if the users have unprotected directories with full permission, then they will be tragetted to upload directly in to the server.
Sending Spam
———–
Once the remote attacker uploads the malicious perl file using the password that he has sniffed using the above method, that file can be used to send spam mails / phishing mails at will. It is difficult to trace them or control them as most of the websites will have send mail enabled by default.
Hijacking the Search Engine Results
—————————-
One common way these attackers use to spread this malware is to overwrite your .htaccess file to send all search engine hits from google/yahoo etc to their malware site. Hence as a user you might view the site when you access the site as www.domain.com but when you click on a search result of that domain in google or yahoo, it will be redirected to a malware website.
Disables Security Software
———————
This malware is also capable of disabling the security software such as anti-virus in that system in which it is downloaded. But this type of disabling is more predominant in windows based systems only.
How to secure yourself from such an attack
———————————–
1. First change the password for all your websites immedietly. Make sure that ftp login details are tough and not easy
2. Review the code of your infected website particularly look for include files, .js files etc. Look out for iframe / sql injection coding / large sequence of numbers and digits
3. Look out in your sql database for any field that has junk codes or iframes injected
4. Check for your .htaccess file in various direcotries like public_html and see whether any undesired changes are done in it.
5. Check for any .pl, .cgi file uploaded in your website or in cgi-bin folder
6. Check for any unknown files appear nearly to your file names uploaded in your website.
7. The best way to safe guard is to keep a backup of your website, mail, database. Terminate the account. Recreate it in your whm. Review the coding and database thoroughly and upload your website.
8. Make sure that your local lan and systems are with latest version of OS with proper updates
9. Make sure that all your security softwares are upto date and function properly
10. Do not allow any one to access unwanted sites in your local lan or system or laptop
11. Make sure that a firewall such as Windows firewall or Zone lab firewall is installed and enabled in your systems
12. Warn all your customers about this issue and make sure that they also keep their systems clean and secure
13. Advise your customers to change passwords regularly and make sure that passwords are always tough
14. Advise your customers to use secure and safe ftp software while uploading webpages and desist from uploading via public terminals