Gumblar.cn – Virus in the wild
We’ve been noticing a lot of traffic related to a new virus that has been attacking users/websites recently.
The virus works to exploit your system is several distinct ways.
- An infected PC transmits FTP information to Gumblar.cn
- Gumblar.cn connects to FTP’s submitted from infected pc’s and injects code into any php/html pages it finds
- Any user visiting a site will have JavaScript run in their browser that does the following:
- Loads obfuscated JavaScript to connects to gumblar.cn if your running windows and not infected
- This in turn loads a nice piece of JavaScript that will load an SWF file
- This SWF file is the virus payload – it contains a byteArray that will inject a virus onto the computer (I believe it’s another SWF file being loaded as the byteArray)
- If this computer is running windows and has flash it will become infected
- See Step #1
The JavaScript code you’re looking for will look something like this:
One thing to note in the above code is the words gumblar in plain text.
When it comes to cleaning your webhost up you should take the following steps.
- Take your website down (turn the web server off – stop infecting your users)
- Remove the FTP information from your PC
- Change the FTP username/password on your webhost
- Look for new files created (image.php, etc…) that shouldn’t be there
- Now that you’ve removed the backdoor & changed the password you need to perform cleanup
- Find any PHP or HTML pages injected with the virus code and remove it
Once you’ve done this – everything should start getting back to normal.
There have been some useful scripts posted in the comments about this virus at blog.unmaskparasites.com.
If you’ve had any success or troubles with this virus please post your comments below.
If anyone knows of an easy way to convert a byteArray that’s being passed to an ActionScript Loader back into readable text please leave me a comment below.
Good Luck!
Subscribe to: