Computer Business Review

Security experts warn on mutating Gumblar worm

CBR Staff Writer

10:21, May 26 2009

A next Conficker in the making

Security experts have flagged the rise of a fast-mutating worm which already is supposedly responsible for up to half of all malware carried on web sites and which could become a bigger threat than the Conflicker virus.

The Gumblar worm targets Google search engine users and attempts to redirect returned search results to malicious sites.

According to anti-virus software supplier Scansafe, the mal-script appears to be dynamically generated and varies not only from site to site, but also from page to page on the same site.

People who have come across the worm report that compromised web sites risk having their subsequent Google search results replaced with links that point to malicious and fraudulent sites.

Sophos has claimed Gumblar is responsible for at least 40% of all malicious code found on websites, and is mutating as it spreads. The variations of the injected code have reportedly increased, which is an obvious step to evade detection from security solutions. 

Another security software vendor, Websense has said the destination page that Gumblar redirects people to serves up different versions of the malicious content. 

It reckons this could be because the malware authors may have a randomiser built into their server-side code to intentionally serve it randomly each and every time. 

The worm, which has be known as JSRedir-R in some circles, has been around for a while but the speed of its progress in the past week and more is a cause for concern. It is believed to have originated in China and attacks PCs through vulnerabilities in Adobe PDF reader and Flash player.


Post a comment

Comments may be moderated for spam, obscenities or defamation.