Pandemic of the botnets 2009

[AplusWebMaster]

FYI...

Gumblar authors crash WordPress sites
- http://www.networkworld.com/news/200...s.html?hpg1=bn
11/04/2009 - "Webmasters who find an annoying error message on their sites may have caught a big break, thanks to a slip-up by the authors of the Gumblar botnet. Tens of thousands of Web sites, many of them small sites running the WordPress blogging software, have been broken, returning a "fatal error" message in recent weeks. According to security experts those messages are actually generated by some buggy malicious code sneaked onto them by Gumblar's authors... Gumblar's authors apparently made some changes to their Web code... and as a result "the current version of Gumbar effectively breaks WordPress blogs"*... WordPress sites that have crashed because of the buggy code display the following error message: Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()'d code:1)
in /path/to/site/wp-config.php(1) : eval()'d code on line 1
Other sites running software such as Joomla get different fatal-error messages... In effect, the messages warn Gumblar's victims that they've been compromised..."
* http://blog.unmaskparasites.com/2009...lex-php-sites/
04 Nov 09

WordPress Exploit Scanner
- http://wordpress.org/extend/plugins/exploit-scanner/
• Version: 0.6
• Last Updated: 2009-11-4
• Requires WordPress Version: 2.7.1 or higher
• Compatible up to: 2.8.5

[AplusWebMaster]

FYI...

Gumblar malware domain reactivated
- http://blog.scansafe.com/journal/200...s-baaaack.html
November 5, 2009 - "... some of the compromises were following a different pattern than we'd been seeing over the past couple of weeks. Further investigation revealed the newest iframe injection was pointing once again to gumblar .cn - the malware domain that originally earned Gumblar its name. The domain's reactivation occurred less than 24 hours ago, but it has ramifications that could stretch back for months. Any sites compromised in the May Gumblar attacks that were not yet cleaned up (unfortunately an all-to-common occurrence) could now start becoming vectors of Gumblar infection once again. This is in addition to new compromises pointing to the newly activated gumblar .cn and the already very active Gumblar compromises which are using compromised websites as malware hosts*...
Edited to add: This is not the first example of registrars releasing malware domain names back into use..."
* http://blog.scansafe.com/journal/200...et-awakes.html
October 15, 2009

- http://www.iss.net/threats/gumblar.html

- http://google.com/safebrowsing/diagn...te=gumblar.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 5918 domain(s)..."
- http://google.com/safebrowsing/diagn...ite=martuz.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 8558 domain(s)..."

- http://www.sophos.com/blogs/sophoslabs/v/post/7342
November 8, 2009

[AplusWebMaster]

FYI...

The Gumblar system
- http://www.viruslist.com/en/weblog?weblogid=208187897
November 11, 2009 - "... Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files... it's a fully automated system. It's a new generation of self-building botnets. This system is actively attacking visitors of a website and once these visitors have been infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP accounts are then used to infect every webpage on new webservers. This way the system extends the number of infected pages, thus attacking more and more computers. The entire process is automated and the owner of the system just needs to adjust the system and update the Trojan executable which steals passwords and the exploits used to attack the browser. The system works in a constant loop of attacking new computers, getting new FTP accounts and infecting new servers..."

(Screenshots available at the URL above.)