Over the past week I have noticed an increased number of Irish sites being flagged in Google search results "This site may harm your computer.". When you click on the title of the search result Google presents you with a warning page instead of directing you to the request site.
This warning page includes a link to Google's "Safe Browsing Diagnostic Page" for the site in question. This page by google answers various questions about the site -
- What is the current listing status for www.somewebsite.com?
- What happened when Google visited this site?
- Has this site acted as an intermediary resulting in further distribution of malware?
- Has this site hosted malware?
- How did this happen?
Gumblar.cn is listed as malicious software in the answers to the above questions by Google. Sophos are a leading developer of security software and hardware. Their research section SophosLabs refers to Gumblar as Troj/JSRedir-R. On May 14th they reported that between May 6th and May 13th Troj/JSRedir-R accounted for 42% of malicious infections found on websites.
So what is Gumblar (Troj/JSRedir-R)?
Gumblar appears to be a combination of
exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from third party sites without the users knowledge. The malware attempts to redirect the victims Google search engine result pages (SERPs) to links that point to fraudulent and malicious websites. It also
steals FTP credentials from the victims computer which allows it to spread and infect additional sites. So when someone visits an infected site they get infected and if they have FTP credentials for a website on their machine then those sites will get infected. This explains the exponential growth of the exploit in such a short space of time. The malware also installs a backdoor that connects to the IP address of a known botnet.
The initial attack uses a
vulnerability in Adobe Acrobat and Flash player. If you browse to an infected website your local machine can get infected. Then if you have FTP credentials stored locally for your websites then these may get infected. Anyone who browses to this may subsequently get infected. All of this happens without your knowledge.
What makes it different from previous malware exploits?
There are a number of aspects to this exploit that both make it difficult to remove and help it spread. Firstly, it is
infecting users who are browsing legitimate websites, if these users are webmasters then it is infecting their sites by using their FTP credentials to inject the script onto their site. The
obfuscated malicious code is dynamically generated. This makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site but it can also vary from page to page on the one site.
How do you remove gumblar?
I have been unable to find a tool for doing so or a specific set of instructions for the removal of gumblar. Here is my suggested approach to removing Gumblar from your site. If you have any problems or suggestions please feel free to post a comment or post on our forum.
On any desktop/laptop that has FTP access to your websites host install a virus scan with the latest updates and ensure removal any malware, torjans or keyloggers. Once you are confident that you have a "clean" machine then you must change your FTP password for the compromised server. If you are unable to clean your local computer then you can change your FTP password from a computer that you know is clean. I would recommend you do not store your FTP credentials in your FTP client and if possible consider using secure connection for transferring files such as SFTP. Changing the FTP password for the compromised server is not enough as Gumblar may have installed a backdoor or made other changes that would allow further exploits. I recommend you do the following:
- Check file and directory permissions on your server are set correctly
- Check that php-includes have not been modified
- Check your .htaccess has not be modified
You may need to get assistance from your hosting provider on the above. You also need to clean up your website by removing the malicious code from the compromised pages. If you have been making regular backups of your site then it may be possible to revert to a previous version that has not been compromised. If you are not making regular backups then you should start, talk to your hosting provider as they usually can facilitate this. If restoring from a backup is not an option for you then the clean up will be a manual process. You will have to inspect all files and remove the malicious code. I suggest you start with the following:
- Look at the beginning of all .php, .htm, .html and .asp files
- Look at the end of javascript files
- Search for iframes in your source
- Check your image directories for script files
UPDATE(S):
26-05-2009
Daniel Ansari's Blog provides detailed steps on how to remove Gumblar. This includes a script he created to automate the removal of Gumblar. The script uses PHP expressions to remove Gumblar modifications from HTML, PHP and JS files. I have not tried this script but based on the comments in his feedback it appears to be working for people.
27-05-2009
Scansafe STAT Blog has posted a useful method to determine if your Windows machine has been infected by Gumblar. sqlsodbc.chm is a default Windows file that is modified by the Gumblar Malware. Microsoft released a list of SHA1 and file sizes for known good versions of sqlsodbc.chm. So if you want to check if you are infected you can generate a SHA1 for your the version of sqlsodbc.chm and compare it and the file size with the list provided on the STAT Blog article. If you do not find a match then there is a good chance you have a Gumblar infection.
28-05-2009
Someone pointed out that my previous update was not much use if you did not know how to get the SHA1 of a file. FileAlyzer is a tool that analyses files and can be to create the SHA1 of sqlsodbc.chm.
29-05-2009
Gumbar has been getting a lot of media coverage in the past few days and reports are saying that Gumblar is now worse than Conflicker. The only upside is that this Blog post is now attracting a considerable amount of traffic from the search engines.
01-08-2009
It has been over 2 months since this post but Gumblar is still infecting websites. This blog post is one of the most popular pages on our site. I came across a tool that will do a securty check on your website and tell you if you have been infected with malicious code such as Gumblar. It is a really useful tool so I thought it deserved a mention.
Useful links relating to Gumblar
I will continue to update this section of the post with relevant links as I find them.
If you have a site that you think I should include please post in the comments and I will add it.
Stay Safe!
Dave
--
If you liked this article then you should subscribe to our 
Blog RSS feed.
This is a quick post to follow up on the recent What is gumblar? post. Its been the most popular blog post so far and is getting a steady stream of traffic from the search engines. I came across an article by the Google Security Team on their Google Online Security Blog that I thought was worth mentioning due to its relevance to the Gumblar post.
