The Gumblar botnet has begun to be seen again five months after it rose to prominence.
Mary Landesman, senior security researcher at ScanSafe, claimed that after it built a botnet of compromised websites in May, it is now using those compromised websites as hosts for its malware.
Landesman said: “In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site. But in this case, the malware resides on thousands of legitimate (but compromised) websites.
“The majority of the compromised websites are small mom and pop style websites in non-English speaking countries, but that's not important because the attackers have a clever trick for driving traffic directly to the malware hosted on those sites.
“An iframe pointing to the malicious script on the compromised site is forcibly injected on various forums. The injected forums we've seen thus far are using feed aggregators to push their forum posts out to subscribers, who are then exposed to the iframe.”
Landesman further claimed that the malicious script (which contains certain unique components included in the first stage Gumblar attacks), checks for the version of Adobe Reader and Adobe Flash and delivers the same URL with a unique SID depending on those results.
The script also contains an exploit for the Microsoft Office Web Components vulnerability described in MS09-043, which was patched in August 2009. Successful exploit results in a randomly named file dropped to the system.
“This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware also takes a read of sqlsodbc.chm, a file targeted by previous Gumblar-delivered malware,” said Landesman.
ScanSafe claimed that signature detection of the malware is very low according to a VirusTotal report.