Gumblar revisited

Readers may have noticed some of the recent rumours about new Gumblar-related activity. The original Gumblar attack (May 2009) involved the mass-defacement of huge numbers of legitimate sites with a malicious script Sophos products blocked as Troj/JSRedir-R. The purpose of this was to infect users with a data-stealing Trojan known as Troj/Daonol-Fam.

The payload of the recent attacks looks similar, the malicious binaries now being detected as Mal/Daonol-A.

As with the previous wave of site defacements, it appears to be stolen FTP credentials that is driving the new attacks. These enable the attackers to upload malicious PHP scripts which can then be used to construct the attack. Contrary to the previous attacks, the payload is now also being hosted on compromised hosts, making the attacks more resilient.

At the end of last week, we managed to get hold of one of the key PHP script components being used by the attackers. Analysis of the script gives us some interesting insights into these attacks.

The PHP script can be used by the attackers to inject a malicious script into all suitable pages on the victim site. Files below ~200kB whose extension do not match any of the following are targeted (up to a maximum of 5 within any particular directory):

• .zip
• .rar
• .gz
• .jpg
• .avi
• .mp3
• .wma
• .mpg
• .png
• .txt
• .swf
• .css
• .js
• .log
• .pdf
• .ppt
• .fla
• .as
• .tar

Some simple techniques are used to make the injected scripts mildly polymorphic (between each injected page). These include function/variable substitution and simple string obfuscation.

The purpose of the injected script is simple – adding a script element to the page which will cause the browser to load further malicious content from a remote server (hosted on another compromised site).

The PHP script makes it trivial for the attackers to change the redirection payload of the scripts that are injected into pages. Issuing a HTTP request to the PHP script with the desired target domain in the query string is all that is required. So, requesting http://compromised_site_A/path/gumblar.php?dom=compromised_site_B will result in:

• removal of any injected scripts previously added to suitable pages on compromised_site_A
• injection of new scripts, whose payload will be to load content from compromised_site_B

This makes the new wave of attacks more resilient to URL filtering. Sophos customers are protected – aside from detecting the payload as Mal/Daonol-A, pages injected with the redirection scripts are blocked as Troj/JSRedir-AE. Indications at this point are that a large volume of sites have been affected – the detection is already contributing to almost 4% of all web-based threats for the past 48 hours.

Additionally, detection for the malicious PHP scripts uploaded to compromised sites has been added as Troj/PHPMod-B. If you are a webmaster or hosting provider and encounter this detection, please let us know. It would be interesting to collect further samples of the PHP kits being used.