Remember last May when we suggested that Gumblar was building a botnet of compromised websites? It appears that Gumblar is now using those compromised websites as hosts for its malware.

In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site. But in this case, the malware resides on thousands of legitimate (but compromised) websites.

The path/filename of the malicious .php file on the compromised site is identical to an already existing path/filename of a legitimate and already existing file (usually .gif or some other image type).

The majority of the compromised websites are small mom and pop style websites in non-English speaking countries, but that's not important because the attackers have a clever trick for driving traffic directly to the malware hosted on those sites. An iframe pointing to the malicious script on the compromised site is forcibly injected on various forums. The injected forums we've seen thus far are using feed aggregators to push their forum posts out to subscribers, who are then exposed to the iframe.

The malicious script (which contains certain unique components included in the first stage Gumblar attacks), checks for the version of Adobe Reader and Adobe Flash and delivers the same URL with a unique SID depending on those results. The script also contains an exploit for the Microsoft Office Web Components vulnerability described in MS09-043, patched in August 2009. Successful exploit results in a randomly named file dropped to the system. As was the case in the original Gumblar attacks, the malware modifies the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware also takes a read of sqlsodbc.chm, a file targeted by previous Gumblar-delivered malware. Signature detection of the malware is very low according to this VirusTotal report.

ScanSafe customers continue to be protected against all stages of the Gumblar attacks.