The new gumblar

Around October 20th we received mails from our office in Turkey about the “possible spread of a new virus”. And our colleagues were right, something was going on. Some days before that, on Oct 16th we noticed changes on some websites which we monitored since May 2009 when ‘gumblar’ was spreading. While the attack in April/May just worked with iframes redirecting to two malicious sites (gumblar.cn, martuz.cn), this time the spreading servers are more widely distributed – we identified more than 202 locations.

The following is a TOP 20 list of countries with ‘injected’ hosts who point to these malicious URLs:

7271    UNITED STATES*
704      RUSSIAN FEDERATION
675      REPUBLIC OF KOREA
619      ISLAMIC REPUBLIC OF IRAN
540      TURKEY
510      GERMANY
499      INDIA
487      JAPAN
400      THAILAND
382      POLAND
379      BRAZIL
345      ARGENTINA
298      CZECH REPUBLIC
187      HUNGARY
182      BELGIUM
173      ITALY
163      ROMANIA
159      UKRAINE
157      FRANCE
117      VIET NAM

*Note: The US count contains more than 4000 entries pointing to a Persian Blog Site, which probably was the biggest abused entry so far.

In between the compromised hosts there were also plenty of .gov machines involved. Currently we count no less than 71 .gov entries of which 47 are in Turkey. We also see about 65 .edu sites and ca. 79 .ac domains, mainly spread throughout Thailand, India and Korea.

A deeper analysis of counts in Japan revealed at least 487 compromised sites, of which 357 are still injected with malicious URLs at the time of writing.

Some estimated access counts:

21760      www.es***ne.com
20823      www.sport***.mk
19574      www.fortun***.ru
11937      www.***jinja.or.jp
10434      www.***land*.it

Our accumulated data for one week showed 443748 access hits in total – and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The ‘new gumblar’ took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible.

Of course, the numbers above aren’t final and are rising every day.