Security Intelligence Operations

Gumblar infections are spreading quickly and becoming an increasing threat to users.

A new malicious software, Gumblar, has begun to infect websites and end-user systems. Gumblar employs obfuscation methods to defeat signature-based virus detection and steals user account credentials to legitimate websites, which could allow attackers to further spread the malicious software.

Initial infections may rely on browser-based vulnerabilities or vulnerabilities in Adobe Flash or PDF applications. On infected systems, Gumblar monitors ongoing FTP sessions to steal user account credentials. The attackers can then recover the credentials and use the authentication information to manipulate websites via FTP access. Attackers may also install malicious code on those legitimate sites to continue to spread malicious code infections.

On infected systems, Gumblar subverts and replaces the results of Internet search websites, which could allow attackers to redirect user search results. By redirecting search results to malicious sites, attackers can continue to infect additional systems and increase network traffic to malicious sites. By increase site traffic and advertising revenue through the manipulation of search results, site owners can profit from the malicious activity.

Infections of Gumblar are spreading quickly. According to Sophos, the malicious software accounted for 42 percent of Internet infections over a weekly period. As Gumblar is becoming more common, administrators are advised to consider putting protections in place immediately. In particular, site maintainers are advised to audit their websites for infections and remove any that are discovered.

Version 1, May 18, 2009, 4:56 PM: Gumblar is a malicious code that attempts to gather FTP credentials from user systems and may redirect a user's search results to malicious sites.