JS_GUMBLAR
Gamburl, Gumblar
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
GUMBLAR malware was spotted in 2009. Thousands of websites were compromised. These compromised sites hosted malicious scripts, detected as GUMBLAR. Apart from SQL injection, thousands of sites were compromised by GUMBLAR perpetrators with the use of stolen FTP credentials.
GUMBLAR malware are known to download KATES information stealers. KATES steal FTP credentials, which allowed the cybercriminals behind GUMBLAR to compromise more websites. In addition, some GUMBLAR variants contained embedded KATES binary in their bodies, which they dropped directly without the aid of exploit components.
It may also download specially-crafted files that exploit vulnerabilities. Once exploits are successful, it leads to the dropping of KATES information stealers.
Apart from KATES, some GUMBLAR variants download other malware belonging to the FAKEAV, WALEDAC, and DAURSO families.
TECHNICAL DETAILS
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}r.cn/rss/?id={generated string}
- http://{BLOCKED}-tank.co.uk/acatalog/links.php?s={random}&id=2
- http://{BLOCKED}nfs.com/images/gifimg.php?s=ZhOhUDhpM&id={random numbers}
- http://{BLOCKED}tar.com/zrida_1/player-mp3.php?s={random}&id=2
- {BLOCKED}ukula.com
- {BLOCKED}z.cn
- {BLOCKED}ack.dp.ua