Gumblar: a good Web Based Attack example
Date : June 04, 2009
An attack in two steps :
Several sources have reported the infection of many websites by a
Trojan
horse which redirects victims who visit these sites to a malicious web
site.
This malware was named Gumblar (it is also known as JSRedir) making
reference
to the malicious site to which victims are redirected.
This malware spreads via a two-stage attack.
A first stage targets trusted websites.
This phase of the attack attempts to install the Trojan on legitimate websites. For this, it uses FTP access normally intended for updating these websites.
It seems that the attackers use stolen FTP credentials
The second stage targets users of the infected websites.
Once installed on trusted websites, Gumblar redirects visitors of these compromised sites to a malicious site and attempts to compromise these visitors systems. For this second stage it exploits known vulnerabilities of Adobe PDF and Flash Player reader through malicious PDF and SWF files. The browser used to visit the compromised sites is not used in the attack. A user who uses a properly patched browser will be vulnerable if his Adobe PDF or Flash Player reader is vulnerable.
Finally Gumblar installs malicious code on the system of the victims who visit the compromised websites.
This type of attack which silently downloads malicious code during browsing on a compromised website is called a "drive-by-download" attack.
A very trendy malware:
The two stages of this attack say a lot about the evolution of threats on IT systems.
Indeed, as we reported in the “Cert-IST 2008 flaws and attacks review” the 2008 year showed a strong growth of:
- trusted websites infections,
- attacks of user systems through their browsers,
- attacks exploiting vulnerabilities in third party software (QuickTime, Acrobat Reader, Real Media … ) rather than vulnerabilities in the operating system.
As we analyzed, this evolution is due to the search for new vectors of attack against user systems better protected (anti-virus, firewall, operating systems up to date), and revels the high-tech features of the malicious code.
Vulnerable websites
Websites are now very complex and implement multiple technologies (database, script, plugin ...). They rarely deliver static web pages but pages dynamically built from many sources. Even sometimes with contents that the website itself does not control (advertising, partnerships, dynamic flow etc.)...
This complexity increases the probability that websites will be impacted by various vulnerabilities.
The interest of compromising a website
Typically web sites used to spread malicious code were websites such as pornographic sites or sites delivering pirated software.
A user trusts government sites, commercial sites...
By infecting a trusted site an attacker then has an extraordinary vector of attack due to the number of visitors to this site and the lack of care of its visitors.
Third-party
software: the Achille's heel of users desktops
Much progress has been made for the deployment of security patches for operating systems. But it is much more common to find third party software (QuickTime, Acrobat Reader, Real Media ...) affected by known vulnerabilities during a long time.
Third-party software used to read the content of many web pages constitute a perfect attack vector for malicious websites.
Gumblar provides a good illustration of these trends. It compromises websites and uses them as a vector of attack through the exploitation of known vulnerabilities in Adobe PDF reader and Flash Player.
Which protection ?:
According to Symantec, obfuscation is another increasingly common technique used by the actual attacks. Gumblar uses this technique to hide and also it regularly changes its characteristics (polymorphism) in order to avoid being detected by traditional signature-based antivirus.
Note that few editors are now providing antivirus signatures for Gumblar.
Symantec recommends the implementation of other techniques to be protected from such attacks:
- Heuristic file protection searches suspicious behaviour in the scanned files.
- The Intrusion Prevention System (IPS) monitors network traffic in such a way to detect the intrusions attempts and block them.
- The Behavioral Monitoring expects some kinds of the actions of running software on your system and alert or prevent suspicious behaviors.
Do not forget some common sense advices:
- apply security updates on third-party software,
- be careful when downloading software (codec, plugin, ...) even when browsing trusted sites.
For more information:
- Cert-IST « Virus coord »: https://wws.cert-ist.com/fast-cgi/VirusCoord/VirusCoord.cgi?lang=fra&Alias=viruscoord-2009_002
- US-Cert: http://www.us-cert.gov/current/#gumblar_malware_attack_circulating
- Sophos article: http://www.sophos.fr/pressoffice/news/articles/2009/05/jsredir-r.html
- Sophos description: http://www.sophos.com/security/analyses/viruses-nd-spyware/trojjsredira.html
- Symantec white paper on Web Based Attacks: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf