Around October 20th we received mails from our office in Turkey about the “possible spread of a new virus”. And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when ‘gumblar’ was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed – we identified more than 202 locations.
The following is a TOP 20 list of countries with ‘injected’ hosts who point to these malicious URLs:
7271 UNITED STATES*
704 RUSSIAN FEDERATION
675 REPUBLIC OF KOREA
619 ISLAMIC REPUBLIC OF IRAN
540 TURKEY
510 GERMANY
499 INDIA
487 JAPAN
400 THAILAND
382 POLAND
379 BRAZIL
345 ARGENTINA
298 CZECH REPUBLIC
187 HUNGARY
182 BELGIUM
173 ITALY
163 ROMANIA
159 UKRAINE
157 FRANCE
117 VIET NAM
*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.
In between the compromised hosts there were also plenty of .gov machines involved. Currently we count no less than 71 .gov entries of which 47 are in Turkey. We also see about 65 .edu sites and ca. 79 .ac domains, mainly spread throughout Thailand, India and Korea.
A deeper analysis of counts in Japan revealed at least 487 compromised sites, of which 357 are still injected with malicious URLs at the time of writing.
Some estimated access counts:
21760 www.es***ne.com
20823 www.sport***.mk
19574 www.fortun***.ru
11937 www.***jinja.or.jp
10434 www.***land*.it
Our accumulated data for one week showed 443748 access hits in total – and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The ‘new gumblar’ took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible.
Of course, the numbers above aren’t final and are rising every day.
The new gumblar