Identify if a Malware Script is Gumblar

Updated: March 23, 2010

When the Gumblar malware first infected websites it was easy identify because it only used the domains and to host its malware code. When it recently returned it started hosting its malware code on many different domains that it has compromised. It is possible to identify whether a malware script is Gumblar by checking the contents of the page that is loaded by the malware script. You should not check this using a web browser because it could cause your computer to become infected with the malware. Instead you should use a tool that allows you to view the contents of web page, such as Rex Swain's HTTP Viewer. First you need to find the malware script on the web page, the Gumblar script is usually placed the </head> and <body> tags and may also be at the bottom of the web page. Then you need to view the contents of the page the malware script loads. Each time the Gumblar code is generated the variables it uses are different, but the basic format of the code is always the same. So if code that is shown is the in the same format as is show below, the malware on the website is Gumblar.

Gumblar Code Example: