Gumblar site infections return, WordPress among affected

Share this article:
In the latest wave of Gumblar attacks, the backdoor script being used to infect legitimate websites has been causing some WordPress blogs and other PHP-based sites to crash, security researchers warned this week.

“On various forums, you can find posts where webmasters report similar problems with their WordPress blogs,” independent security researcher Denis Sinegubko wrote on his Unmask Parasites blog on Thursday. “Their sites are broken and all they can see is error messages.”

Researchers said the messages are being generated because of a bug in the Gumblar malicious code that has been injected in these sites.

"[The error messages] should serve as a clear warning to site owners that their site has been compromised," Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com on Friday.

She recommended website administrators properly secure their sites before bringing them back online.

The buggy code comes with one benefit: It is preventing some compromised sites from serving the malicious content and infecting visitors, Sinegubko said.

"[But] in thousands of other cases, the error doesn't occur and those backdoored sites continue to act as malware hosts,” Landesman said.

So-called Gumblar attacks first caused a stir in May after it was discovered that thousands of legitimate sites had been injected with malicious code that causes visitors to be infected with a family of trojans. The attack was named Gumblar after the domain, Gumblar.cn, which initially hosted the malware.

Landesman said she is unsure how many Gumblar-infected sites currently exist, though they may number in the hundreds of thousands.

If a user's PC becomes infected, the malware causes the browser to redirect Google search results. It also steals FTP credentials used by webmasters, Landesman said. Once the attacker has those credentials, the victim site is infected with a backdoor that enables attackers to get back in whenever they want -- even if a website administrator resets the FTP credentials.

By now, those behind Gumblar have essentially built up a botnet of infected sites, which makes the malware campaign more difficult to disrupt, Landesman said.

“This is the first time we have seen malware creating a botnet out of compromised websites themselves,” she said.

In the latest wave of Gumblar attacks that began this October, attackers began utilizing this botnet, Landesman said. Instead of having just a few attacker-owned, malware-hosting domains for all infected sites to point to, as is typically the case with web malware outbreaks, attackers have tapped into their botnet, allowing them to host thousands of sites. In addition, other compromised sites have been injected with IFRAMEs that point to those hosts.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.