Posted by John Kuhn and Ryan McNulty with a little help from Holly Stewart on October 19, 2009 at 4:12 PM EDT.
Gumblar is back, and it has an upgraded arsenal of exploits to compromise your browser, Office, and Adobe® products.
Here in Managed Security Services, we’ve noticed a considerable elevation in our global hits on malicious PDF files. More specifically, the signature used to detect the latest Adobe Reader Remote Code Execution has picked up most of the activity. Here's a graph of the attacks we’re seeing:
The event count on Oct 19 ended at over a thousand events, five times the normal event count for this kind of malicious PDF and nearly doubling the kind of attack activity we've seen in the past.
Upon reviewing the data, it became very apparent that the sites hosting the malicious files were legitimate websites (privately owned and operated). All of these websites have been compromised and are now indiscriminately serving the malicious payload to countless victims.
In the past, Gumblar has been known to use stolen FTP password credentials to compromise their victim’s websites. We can only guess that these compromises were no different. As website visitors get infected, they (unknowingly) are farmed for any FTP credentials, seemingly providing the Gumblar controllers with an endless supply of future websites they can compromise.
So what’s different this time around? In previous versions of Gumblar, the malicious scripts and payload were hosted on a remote server. Iframe code was injected into the compromised website, and it redirected visitors to their rogue server (gumblar.cn). This time around, they are placing the malicious scripts and payload directly on the compromised host, which gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world.
The uploaded scripts are placed carefully to match existing file structures currently on the websites. Heavy obfuscation is used in an attempt to evade some existing security measures.
Here's a snippet of the obfuscated malicious script:
Some of the attack vectors have also changed. Today, we see the following exploits in play:
- A PDF exploit
- Adobe Flash (the same Flash exploit we’ve seen Gumblar use in the past)
- Microsoft Office Web Components
All of these attacks are very recent and effective at compromising the client side victim in an effort to propagate their malicious payload worldwide. Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal.
Your best means of protection is to use protections provided by your IPS/IDS device and to apply the latest patches for all of the affected applications, if you haven’t already done so.
Gumblar is a force to be reckoned with, and this latest push of theirs is a true testament to that fact. As always, we’ll do our best to keep you informed of its changes and activities here.
Tue, Oct 20, 2009: Updated the chart to reflect the event count total at the end of Monday.