JS_GUMBLAR


 ALIASES:

Gamburl, Gumblar

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


GUMBLAR malware was spotted in 2009. Thousands of websites were compromised. These compromised sites hosted malicious scripts, detected as GUMBLAR. Apart from SQL injection, thousands of sites were compromised by GUMBLAR perpetrators with the use of stolen FTP credentials.

GUMBLAR malware are known to download KATES information stealers. KATES steal FTP credentials, which allowed the cybercriminals behind GUMBLAR to compromise more websites. In addition, some GUMBLAR variants contained embedded KATES binary in their bodies, which they dropped directly without the aid of exploit components.

It may also download specially-crafted files that exploit vulnerabilities. Once exploits are successful, it leads to the dropping of KATES information stealers.

Apart from KATES, some GUMBLAR variants download other malware belonging to the FAKEAV, WALEDAC, and DAURSO families.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Downloads files

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}r.cn/rss/?id={generated string}
  • http://{BLOCKED}-tank.co.uk/acatalog/links.php?s={random}&id=2
  • http://{BLOCKED}nfs.com/images/gifimg.php?s=ZhOhUDhpM&id={random numbers}
  • http://{BLOCKED}tar.com/zrida_1/player-mp3.php?s={random}&id=2
  • {BLOCKED}ukula.com
  • {BLOCKED}z.cn
  • {BLOCKED}ack.dp.ua