|
 |
|
Shop
You are here: News > News > Move Over, Conficker! Gumblar is Here!
| » IT Security NEWS |
| » 29 May 2009 |
| Move Over, Conficker! Gumblar is Here! |
| A security firm reports on Thursday that Gumblar—the newest online malware menace to hit the Internet since the quickly forgotten Conficker superworm—has added new domain names to help its spread across the Information Superhighway, tampering with and worsening web traffic, stealing FTP credentials to victimize more pages, and injecting all sorts of harmful content unto unsuspecting machines. The emergence of this new Internet horror began as early as last March, with websites being invaded and taken over with seeming ease as malicious code is inserted into their pages. ScanSafe, a privately held provider of web security service solutions, reported last week that the malware infested sites via the gumblar.cn domain—a complex network that used a China-based domain linked to Latvian and Russian IP addresses that were sending code from servers within the United Kingdom. However, as website owners scrambled to apply patches, fixes, and malware scans for their domains, the hackers responsible for the attack replaced the previous Gumblar code with an obfuscated and dynamically generated JavaScript that made it difficult for security tools to detect. The authors of the hack also changed the gumblar.cn domain name to martuz.cn, but both of these have now been taken down, informs the Internet security company. This Friday, Mary Landesman—a ScanSafe senior security researcher—explains that the configuration changes to the servers hosting the infected websites enabled attackers to continue using the botnets and add extra domains for spreading exploit code onto the machines of Internet surfers browsing the sites. People should be wary of these new developments because, according to her, the Gumblar attacks on websites will inevitably start again sooner or later. Like the mythological Grecian monster known as the Hydra, Gumblar is responding to security measures against it by evolving into a more dangerous and elusive website compromise. Currently, it is building two botnets at the same time—one reserved for infected PCs, and the other reserved for compromised websites, Landesman warns. Visiting the infected web pages with your JavaScript activated will get your PC infected as well, making it end up as a PC botnet. According to ScanSafe, about 37% of all malware blocked by the service during the first two weeks of May originated from Gumblar, and the amount of sites infected by the hack has exponentially increased by more than 3,000 during the same period. As of now, it's still unknown how many sites Gumblar has infected in total, but Landesman speculates that it could be in the region of tens of thousands or worse. |
 |
 |
Awards & Reviews | |||||
|
||||||
|
|
Subscribe to our Mailing List |
|
|
|
|
Customer References | |
|
||
