Malware, Network Security, Vulnerability Management

Gumblar site infections return, WordPress among affected

In the latest wave of Gumblar attacks, the backdoor script being used to infect legitimate websites has been causing some WordPress blogs and other PHP-based sites to crash, security researchers warned this week.

“On various forums, you can find posts where webmasters report similar problems with their WordPress blogs,” independent security researcher Denis Sinegubko wrote on his Unmask Parasites blog on Thursday. “Their sites are broken and all they can see is error messages.”

Researchers said the messages are being generated because of a bug in the Gumblar malicious code that has been injected in these sites.

"[The error messages] should serve as a clear warning to site owners that their site has been compromised," Mary Landesman, senior security researcher at ScanSafe, told on Friday.

She recommended website administrators properly secure their sites before bringing them back online.

The buggy code comes with one benefit: It is preventing some compromised sites from serving the malicious content and infecting visitors, Sinegubko said.

"[But] in thousands of other cases, the error doesn't occur and those backdoored sites continue to act as malware hosts,” Landesman said.

So-called Gumblar attacks first caused a stir in May after it was discovered that thousands of legitimate sites had been injected with malicious code that causes visitors to be infected with a family of trojans. The attack was named Gumblar after the domain,, which initially hosted the malware.

Landesman said she is unsure how many Gumblar-infected sites currently exist, though they may number in the hundreds of thousands.

If a user's PC becomes infected, the malware causes the browser to redirect Google search results. It also steals FTP credentials used by webmasters, Landesman said. Once the attacker has those credentials, the victim site is infected with a backdoor that enables attackers to get back in whenever they want -- even if a website administrator resets the FTP credentials.

By now, those behind Gumblar have essentially built up a botnet of infected sites, which makes the malware campaign more difficult to disrupt, Landesman said.

“This is the first time we have seen malware creating a botnet out of compromised websites themselves,” she said.

In the latest wave of Gumblar attacks that began this October, attackers began utilizing this botnet, Landesman said. Instead of having just a few attacker-owned, malware-hosting domains for all infected sites to point to, as is typically the case with web malware outbreaks, attackers have tapped into their botnet, allowing them to host thousands of sites. In addition, other compromised sites have been injected with IFRAMEs that point to those hosts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.