Gumblar Domain is Active Again

It's Back! The Gumblar malware home domain was discovered as being inactive and then reactivated once again which means we may see an influx of hacked web sites.

Gumblar is known as a vicious parasite that is able to steal FTP login credentials of web pages in addition to having the ability to hijack Google search results on infected computers. Search results laced with malware has been an increasing epidemic for some time now and with the recent restart of the Gumblar home page, gumblar(dot)cn (read more on gumblar(dot)cn), we may see an increase in these activities once again.

The nature of Gumblar is to sneak malicious content onto a compromised website through an iframe which displays information from another website without the users' knowledge. Gumblar also checks to see if a hacked system is running un-patched versions of Adobe Reader or Acrobat in an effort to compromise the computer through a drive-by-download.

The researchers at ScanSafe found that the Gumblar home page was reactivated in the past 24 hours after it was taken offline. Our first discovery of Gumblar in March revealed that this malware actively looked for its malicious instructions at the gumblar.cn server which it can now reconnect to for additional instructions once again.

Usually when a domain has been found to be of malicious in content, it is then suspended by a domain name registrar but the gumblar.cn domain has become active again which has some researchers puzzled. This means that websites that were infected by Gumblar will not be able to contact the Gumblar domain for further instructions which could be updated with new malware.

Does this mean we will see a major increase in the number of compromise websites and poisoned web search results? We are willing to bet that you WILL see an increase in these malicious activities as we already have in the past months time. It is best to take the necessary precautions in guarding your login credentials if you run a website.