A couple of anti-malware firms have grumbled about the number of successful web site compromises a group has been making in order to inject malicious web pages on these victimized sites and refer to the threat as “Gumblar“, reportedly using stolen ftp credentials and possibly other configuration issues and vulnerabilities. These hijacked web sites in turn attack visiting users’ web browsers with the goal of downloading and executing more malware hosted on a remote server. Originally the exploit/trojan/spyware hosting site was gumblar.cn, it was changed to martuz.cn, and the domain most likely will change again.
The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.
When a user doesn’t patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user’s system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a “Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam” trojan abusing the “Drivers32″ key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = “%Temp%\..\doo.val”
The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution – Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification
We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community — the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as “Spyware.Grumbler”.
In the meantime, be sure to update your favorite third party plugins, applications and your system software.
