Gumblar Virus: Symptoms, Removal & Prevention.
Symptoms of Gumblar Virus
Your website in getting infected with unknown iframe or scripts and website is getting redirect to any infected website and due to which virus are getting downloaded in your machine.
HOW?
Activity at user End
Visitors to an infected site will be redirected to an alternative site containing further Malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor’s browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user’s computer. It sometimes also downloads some infected javascript files in the temporary internet folder of the victim’s computer.
The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients’ stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
Activity at server end
Using passwords obtained from site admins, the host site will access a website via FTP and infect the website. It will download large portions of the website and inject malicious code into the website’s files before uploading the files back onto the server. The code is inserted into any file that contains a <body> tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that will infect computers that execute the code. In addition, some pages may have inline frames inserted into them. Typically, iframe code contains hidden links to certain malicious websites. The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named ‘images’. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Removal :-
Install any good malware removal, Unmaskparasites.com provides gumblar remove instructions and recommends scanning for spyware using programs such as the malware removal tool Malware Bytes. Remove all the malicious codes that have been installed in the server files (.html, .php, .js, etc.) and re-upload your website.
One the server, download all the files of your website from the server on to your desktop, clean all the infected files and then upload the clean files on the server. Once again change the FTP password of the website once the uploading is complete. This will ensure that the website will not be infected again even if the password is stolen at the time of uploading.
Prevention :-
1. Keep your machine virus/malware free by using Good Antivirus and AntiMalware.
2. Keep changing your all FTP password periodically.
3. Do not store FTP password in any FTP client as well as dreamviewer , Microsoft Frontpage etc.
Gumblar variants
Different companies use different names for gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shutdown later. However, many badware variants have emerged after that and they connect to various malicious servers via iframe code. Whatever be the nature of gumblar variants, all of them can be categorized as iframe virus.
Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML, PHP and Javascript files on webservers to help spread itself.
Hi, thank you for writing on this subject. I have been looking for something like this and your blog helps me a lot to understand the topic better. Waiting for your next post.