TROJ_DAONOL
Gamburl, Gumblar
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
GUMBLAR malware was spotted in 2009. Thousands of websites were compromised. These compromised sites hosted malicious scripts, detected as GUMBLAR. Apart from SQL injection, thousands of sites were compromised by GUMBLAR perpetrators with the use of stolen FTP credentials.
GUMBLAR malware are known to download KATES information stealers. KATES steal FTP credentials, which allowed the cybercriminals behind GUMBLAR to compromise more websites. In addition, some GUMBLAR variants contained embedded KATES binary in their bodies, which they dropped directly without the aid of exploit components.
It may also download specially-crafted files that exploit vulnerabilities. Once exploits are successful, it leads to the dropping of KATES information stealers.
Apart from KATES, some GUMBLAR variants download other malware belonging to the FAKEAV, WALEDAC, and DAURSO families.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Downloads files
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}r.cn/rss/?id={generated string}
- http://{BLOCKED}-tank.co.uk/acatalog/links.php?s={random}&id=2
- http://{BLOCKED}nfs.com/images/gifimg.php?s=ZhOhUDhpM&id={random numbers}
- http://{BLOCKED}tar.com/zrida_1/player-mp3.php?s={random}&id=2
- {BLOCKED}ukula.com
- {BLOCKED}z.cn
- {BLOCKED}ack.dp.ua