Gumblar Malware

Updated: April 26, 2010

The Gumblar malware places malicious JavaScript into a website's web pages and or JavaScript files that access malware located on another website. The malicious code placed on the website's pages and JavaScript files is changed from time to time and may be removed altogether as well. In some instances the malware may also host malware on a website that other websites infected with the Gumblar malware will try to access. To clean the website, the website needs to be reverted to a clean backup or the malicious code needs to be removed from the web pages and or JavaScript files and if the website is hosting malware that also needs to removed. The malware also adds one or more backdoors scripts, which allow the hacker remote access to the website, on to the website which need to removed. The most common location of the backdoor script is a file called gifimg.php located in the images directory. The malware gains access to the website through FTP credentials that have been compromised by malware located on a computer that has accessed the website via FTP. To prevent the website from being reinfected the FTP password needs to be changed, the backdoor script(s) removed, and the malware removed from the infected computer before it used again to access the website via FTP.

Recent Script Format On Web Pages:

<script src= ></script>

Recent Script Format On JavaScript Files:

document.write('<script src= ><\/script>');

Sample Backdoor Script:

Recent Virus Scan Identifications: JS:Downloader-FY, Trojan-Downloader.JS.Gumblar.x, Mal/ObfJS-CN, Trojan:JS/Gamburl.E, JS/Redirector.o, JS:Kroxxu-AE, JS:Kroxxu-AH