Named after one of the attack domains, the ‘Gumblar’ is a new and complex malware attack, which uses fruitful attack methods and carries a heavy payload.
Analysts suggest that the malware compromises websites by injecting malicious Javascript code into certain parts of website. The victim only has to visit infected pages to run the risk of the Javascript attack.
The malware alters access credentials and folder permissions of the compromised website, to allow an attacker a back door entry to the site even after the user has changed passwords.Administrators will be unable to search out and delete the scripts, as the malicious code will be altereed in certain ways.
This malware attack was first detected in March, but it was thought that the attacks were halted in April, when Google delisted the attacking sites. However, a new variant of the Gumblar has arisen recently, and has been spreading very quickly. Security firm ScanSafe estimated that Gumblar attacks increased by 188 per cent in the last week alone.
Mary Landesman, senior security researcher at ScanSafe, said, “The gross infection rate is exceptional, especially this late in the game…Basically, it has been enjoying a free reign”
Landesman also suggested that the payload carried by the attack, is highly dangerous. The malware supposedly intercepts web traffic and redirects it to fraudulent domains. This allows the attackers to collect referral fees, and places the user at risk of further infection.
Additionally, the malware is supposed to contain botnet controllers and is programmed to collect all FTP permissions on the infected websites, allowing Gumblar to infect any sites which the user administrates, further fostering the spread to new domains.
Thus, the infection is spreading rapidly across the web, and added to the fact that it is so difficult to get rid of, researchers suggest that the Gumblar has een much more successful than previous malware attacks.