Gumblar is a computer virus that first appeared in 2009. It has been identified as one of the most malicious viruses in existence. It is characterized by re-directing user’s Google searches and is suspecting to come from flash and PDF files.
Personal Computers
Visitors to an infected site will be redirected to an alternative site containing further Malware, which was once gumblar.cn, but has now switched to a variety of domains. The site sends the visitor an infected PDF that is opened by the visitor’s browser or Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user’s computer.
The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients’ stored passwords. It also enabled promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
Servers
Using passwords obtained from site admins, the host site will access a website via FTP and infect the website. It will download large portions of the website and inject malicious code into the website’s files before uploading the files back onto the server. The code is inserted into any file that contains a tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that will infect computers that execute the code. In addition, some pages may have inline frames inserted into them. The virus will also modify .htacess and HOSTS files, and create images.php files in directories named ‘images’. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.