One of the fastest growing malware infections, Gumblar, is currently propagating across the internet and emerging as one of the biggest and most dominating online threats. Gumblar is an attack that compromises legitimate websites through theft of FTP credentials and injection of malicious script. Gumblar is able to steal FTP login information from webmaster’s systems and then spread through compromised sites.
A Gumblar attack happens when a user may search for a term through Google and the results returned include a website that was compromised through FTP and injected with malicious script. The malicious code was found to be present on .php, .js and .html files, which as you may know, are all commonly used on websites.
Gumblar gets its name from the site "gumblar.cn", which is the site that the infection downloads its malicious code from. Gumblar is also referred to as Troj.JSRedir-R by Sophos. According to Sophos, Troj/JSRedir-R accounted for about 42% of all malicious infections found on web pages just a few weeks ago. Gumblar could be much worse than the popular media-driven Conficker Worm by a long shot. This is particularly because some high-traffic websites have been hit with the attack recently which could have infected thousands of computers in a short amount of time. The number of infected systems could potentially surpass the amount of Conficker infected machines if this holds to be true in the months to come.
Why is Gumblar one of the biggest online threats?
Gumblar is able to spread to systems through visiting infected web sites. If a webmaster does not take action to lock-down their FTP credentials stored locally on their system, then it could be possible for an attacker to steal usernames and passwords to a website that they run. FTP login information allows an attacker to upload malicious files to a specific website which could then infect users that visit that particular site. Gumblar is also difficult to detect or remove due to its ability to dynamically generate code which will replace the original malicious code with updated or changed scripts.
Since the first attacks in March 2009, Gumblar has grown to be the number one malware infection on security expert's radar screen. Security research groups have confirmed that Gumblar is found nearly six times more often than any other malicious infection. In addition, Sophos, a security vendor, has found a new infected site every 4.5 seconds.
Because computer users "trust" well-known-legitimate sites, they do not fear the likelihood of them becoming infected from the website that they visit on a daily basis. Gumblar is one infection that is able to infect a well-known legitimate site without computer users ever knowing about it. Usually, their system is infected without notification, and at the same time, they risk theft of FTP credentials that may be stored on one of the infected systems.
Do you store FTP login information on your home or office computer? If you are a webmaster, do you ever fear that your website FTP login username and password would be compromised only to inject your website with malicious code that infects your visitors?