|
Gumblar.cn exploit- Detection, Removal and Protection. |
|
|
|
|
Written by Anthony Ayson
|
|
Monday, 18 May 2009 |
What is Gumblar.cn
Gumblar.com is a website currently blacklisted by google.com and labeled as
a potentially dangerous website. The site is known to host a variety of
malicious scripts and Trojans that can infect you computer.
Mal-ware delivered by this site have been reported to perform the following:
- Redirect Google search engine results. Victims run the risk
of having their google search results replaced with links that point to
other malware site.
- Steal FTP credentials which the mal-ware uses to gain
access to website files and insert a malicious code unto certain
documents.
Below is Google.com Safe Browsing Diagnostic page for gumblar.cn:
What is the current listing status for gumblar.cn?
Site is listed as suspicious - visiting this web site may harm your computer.
What happened when Google visited this site?
Of the 3 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without
user consent. The last time Google visited this site was on 2009-05-17,
and the last time suspicious content was found on this site was on
2009-05-17.
Malicious software includes 24 scripting exploit(s), 6 trojan(s).
This site was hosted on 1 network(s) including AS42831 (UKSERVERS).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gumblar.cn did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days.
It infected 16141 domain(s), including sangsangmadang.com/,
scdigest.com/, wanted.az/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Websites infected by gunblar.cn exploits
I am unsure how the exploit manages to insert itself unto its
target documents but my guess is via a compromised FTP source. So far,
it has been know to affect the following files: (.html, .php, .js,)
How to detect gunblar.cn on infected websites.
Upon visiting an infected website you will notice on your
browser status bar that the site redirects to gunblar.cn. This will
initiate a script that will silently load and execute other malwares.
I have discovered a great site that can detect malware: www.unmaskparasites.com
Simply enter the website url on the input box and hit the “check button”
unmaskparasites.com will scan the target website and display suspicious scripts and links.
How to detect gunblar.cn on infected webpages and files.
The gumblar.cn mal-script appears to be dynamically generated
and thus varies not only from site to site, but also from page to page
on the same site. In addition, the resulting mal-script is heavily
obfuscated, further hampering signature detection methods.
The infected page however generally starts with “(function(“
On one of the sites we disinfected, we found this
string…”(function(roe3S){var xKU='%';var
faig='v"61r"20"61"3d"22ScriptEngine"22"2cb"3d"22Version("29+"22"2c...”.
Near the end of the code there is a “.replace(” function
Where to look:
- On the .js (Java Script) files, it is usually located at the very end.
- On .php and html files, it is usually located just before the body tag.
How to remove gunblar.cn from infected website files.
I am not aware of any tool that can detect and remove the
gunblar.cn scripts. Manually removing the line of code from the web
documents is the only way to go.
How do you protect your self from gunblar.cn
- Install and scan your PC with a reputable malware detection software.
Personally I have found www.malwarebytes.org to be effective.
- Change the permissions on files that do not require writing permissions. Set then to 755 (MOD 755)
References:
- http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
- http://www.google.com/safebrowsing/diagnostic?site=gumblar.cn
|
