Tema: Trojan virus spreading. Are you affected?

Recently, a Trojan virus coined “Gumblar” has been spreading throughout the Internet. It works by injecting an exploit into the HTML code of a website, and downloads a program which is automatically installed on your computer (and thus infecting it with the virus). The program will then sniff out for FTP passwords that are entered, and log into those FTP accounts to infect your site with the same HTML exploit. Any users who visit your site will also be infected with this same virus, and their FTP passwords captured. Because of this vicious cycle, millions of websites have been infected.

Some of our customers have experienced the problem, and we have been fixing it as quickly as we can. The first thing you must do is scan your own computer to remove the Trojan. Then, you should change your FTP password, and begin to remove the infected code/files. A more comprehensive guide can be found at: Daniel Ansari's blog Automatic removal of Gumblar/Martuz trojan and general Q&A can be found at: ScanSafe STAT Blog - ScanSafe STAT Blog - GumblarQ&A

What is happening?

A multi-stage series of compromises is delivering malware that attempts to redirect Google search engine results (SERPs). Visitors who encounter the compromised websites risk having their subsequent Google search results replaced with links that point to malicious and fraudulent websites.

The malcode also steals FTP credentials (if found) from the victims' computers. These stolen FTP credentials are then used to further compromise any websites owned or operated by the victim. As a result, there is exponential growth of these compromises – as more victims are infected by encountering a compromised site, the number of compromised sites also increases and thus more visitors are exposed.

Is this a cross-site scripting (XSS) attack?

No. The compromises appear to be the result of stolen FTP credentials and direct manipulation of files on the Web server.

When did ScanSafe first detect this?

There are two stages in the attack. The first stage compromised websites in order to distribute malcode from 94.247.2.195. OI made the first block on March 23rd. Signature scanners began detecting on March 27th. The compromises were reported to Google on April 13th after an investigation revealed the malware was redirecting Google searches.

What happened next?

As Google began delisting the compromised websites, those site owners began cleaning up the mal-scripts pointing to 94.247.2.195. Likely as a defensive maneuver, in early May the attackers began replacing the mal-scripts pointing to 94.247.2.195 with dynamically generated and heavily obfuscated mal-scripts pointing to gumblar.cn. Blacklisting based on the original mal-script would thus be defeated, allowing the compromised sites to once again be listed by search engines.

What is the intent of the malware distributed through the Gumblar compromised websites?

The malcode distributed via the compromised websites attempts to exploit PDF and Flash exploits in order to deliver malware that redirects infected users' search engine results. In these particular attacks, the malcode appears to be targeting Internet Explorer users and Google search. In addition, the gumblar.cn malcode installs a backdoor that connects to 78.109.29.112 – an IP address of a known botnet command and control that has historically been associated with malware engaged in malicious redirections.

How do these malicious redirections work?

Similar to a man-in-the-middle attack, these redirections occur as a result of a man-in-the-browser attack. The malcode injects itself into the browser process, monitors the requests processed by the browser, and injects fraudulent traffic. In the case of the Google SERPs redirects, the malcode replaces legitimate Google SERPs results with links pointing to malicious or fraudulent websites.

Is this a problem on Google's end?

No. As mentioned, this is a man-in-the-browser attack. The injection and redirection occurs locally, on the compromised PC.

Millions of websites have been compromised over the past year; what makes these particular compromises unique?

A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases, and website operators begin cleaning the affected sites. (This is why attackers are constantly pushing new waves of compromise).

In the gumblar.cn attacks, the opposite is occurring. As website operators attempt to clean up the original compromise or otherwise make changes to the original source code of the .htm, .php, and .asp pages on their sites, the gumblar.cn compromise is injected. The gumblar.cn mal-script appears to be dynamically generated and thus varies not only from site to site, but also from page to page on the same site. In addition, the resulting mal-script is heavily obfuscated, further hampering signature detection methods. As a result, the gumblar.cn compromises are increasing – up 188% from last week and a 61% increase from yesterday.

I won't duplicate information contained on other websites, but I will refer to them here instead.
How your machine gets infected by Gumblar, or a "Gumblaroid" (Gumblar-type exploit) such as Martuz

Gumblar .cn Exploit - 12 Facts About This Injected Script | Unmask Parasites. Blog.
Martuz .cn - New Incarnation of the Gumblar Exploit. So What's New? | Unmask Parasites. Blog.
A nasty virus called Gumblar > Software > Forums > PC Authority
How to determine if your PC has the infection

Has my website been hacked? - Page 4 - Dynamic Drive Forums

These were the symptoms that I noticed on my PC:

1. My Visual Studio .NET 2005 was crashing a lot, and I could not get any work done using it.
2. In Firefox 3, each search result would initially redirect to a bogus ad page (I always open search results in a new tab), but clicking the search result once more would open the genuine page.
3. I could not start cmd from the XP Start/Run menu item.
How I removed this malware from my PC

1. I installed and scanned my PC with Malwarebytes' Anti-Malware, which found the single file - in my case it was C:\WINDOWS\ukvvq.qnx - that was keeping the infection active. Manually deleting it, or letting Anti-Malware attempt to delete it, would delete it, but the file would reappear almost immediately. Don't worry if Anti-Malware is unable to update its definitions online - this is another symptom of Gumblar - it still detects it, though as something else.
2. I ran Hijackthis (I didn't need a scan), chose "misc tools", and chose "delete file on reboot" for this file (according to Has my website been hacked? - Page 4 - Dynamic Drive Forums).
3. I ran regedit and deleted the registry entry (according to Has my website been hacked? - Page 4 - Dynamic Drive Forums).

That was it to remove it from my PC, voila! To protect my PC from re-infection, I disabled Adobe JavaScript according to A nasty virus called Gumblar > Software > Forums > PC Authority.

Unfortunately, it seems that several people resorted to rebuilding their machines from scratch.
How to remove the infection from a website

If you manage websites using an FTP program, there is a chance that your sites have become infected. The first thing you must do is change the ftp passwords after your machine has been cleaned.

As yet, I am unaware of any automated script which removes the infection from a website, so I wrote my own and applied it to 5 of the websites that I manage that were infected.

I started off using the script by rad-one at Gumblar .cn Exploit - 12 Facts About This Injected Script | Unmask Parasites. Blog..

I modified it heavily to use PHP regular expressions, to remove the gumblar modifications in html, php, and js files (it scans files with all extensions except .bak). Unlike rad-one's detection script, this one yielded zero false positives for me, and eradicated the infection completely, as far as I can tell.

Here is what my script does:

1. Recurses through the whole website, excluding files and/or directories of your choosing.
2. Applies regular expressions to remove the infection from all the files (except those with the .bak extension) in each directory.
3. All modified files are backed up using the .bak extension.
4. Removes all files with paths ending in /images/image.php or /images/gifimg.php.
5. Runs in report mode by default, so you can see which files would be modified.
6. Has a "verbose" option, so you can see how each file will be modified.

It does not change directory permissions. I haven't got around to investigating that area yet.

You may download it here. (Use at your own risk.)
Instructions for use

1. Place the file scan_files.php at your web document root.
2. Invoke it with no parameters to run it in report mode, where no modifications will be made.
3. Use scan_files.php?v=1 to run it in verbose mode.
4. Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
5. Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.