Gumblar Malware Becomes Infectious Again With New Hosts

Last week the Gumblar malware was neutralized when the files containing its malware infection code were replaced with code that attempted to neutralize iframes. Today, those files have been modified to redirect users to files on other websites that contain the malware code. Like the original websites that hosted the malware code, these new hosts are websites that have been compromised by the malware. This is different than most attacks where the malware code is stored on a website controlled by the individuals behind the malware.

640,000 Websites Estimated to be Infected with Malware in Q3

Dasient, which monitors website for malware, reported that an estimated 640.000 websites and 5.8 million web pages were infected with malware in the third quarter of 2009. A significant portion of those infected websites, 39.6%, were reinfected during quarter. Websites can become reinfected if the vulnerability that allowed the website to be hacked into is not secured or another vulnerability is discovered. Most infection code consisted of  JavaScript (54.8%) or an iframe (37.1%), with other code, such as .htaccess redirects, accounting for 8.1%.

Gumblar Malware Code Replaced With Iframe Neutralizer

The Gumblar malware, which returned in the past several weeks, appears to be neutralized for the moment. In its return, Gumblar was using compromised websites to host its malware code instead of a website owned by the person(s) behind the hack. Other websites that have been compromised by Gumblar, then have code inserted into them that causes a file, with the malware code, to be loaded from one the websites that host the malware.

The code on those websites hosting the malware has now been changed from the malware infection code to Javascript that neutralizes iframes and a message that reads “iframes are EVIL! Hate Zeus!”. If the iframe neutralizing code is loaded on a website that contains other malware scripts, which occurs in some cases, it could possibly disable those scripts.

Gumblar inserted backdoor scripts as part of its hack, which someone other than the original hacker could have used to change the code stored on the host websites. It is also possible that the originally hacker made the change for some unknown reason.