United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Gumblar and Beladen attacking thousands of web sites.

8 June 09 -- Over the past few weeks, two pieces of malware have infected thousands of legitimate web sites and forced them to host malicious drive-by download code. The two web infections, Gumblar and Beladen, share a few similarities. They both consist of obfuscated JavaScript code, and they both get their names from the malicious domain that host them (although Gumblar recently switched to a new domain). Let's look at them in a little more detail.

Gumblar has been around for a few months now. However, it seems to have picked up steam recently. No one has clearly reported how Gumblar's evil Java Script first got onto legitimate web sites, but they do know what it's doing now. Basically, if you visit a web site infected with Gumblar, its obfuscated JavaScript code attempts to exploit two web-based vulnerabilities against your computer; the recent Adobe Reader PDF vulnerability (subscription required) and an Adobe Shockwave flaw (subscription required). If you haven't patched your computer, Gumblar leverages one of those flaws to download a trojan (probably a bot client) onto your computer. Once installed, the trojan does a number of things on your PC. For instance, it poisons your Google search results, redirecting you to other malicious sites. It also searches your computer for FTP credentials, hoping to gain FTP access to more web sites so that it can infect them with its malicious JavaScript code.

A bit less is known about Beladen. For example, Researchers do not yet know how exactly Beladen infected so many legitimate web sites with its malicious JavaScript. Here's what they do know. Like Gumblar, Beladen's malicious JavaScript is designed to leverage browser-based vulnerabilities to launch drive-by download attacks against your computer. However, Beladen has a much greater attack arsenal, consisting of about twenty exploits. This could explain why its authors call it Beladen, a word which translates to "loaded" in German. If you visit a site that hosts the Beladen JavaScript, and one of its exploits succeeds, you get a bot client on your computer. Not good.

Combined, Beladen and Gumblar have reportedly infected over 100,000 legitimate web sites. So how can you protect yourself?

  1. Use gateway and client security software. Most AV software will catch these evil JavaScripts.
  2. Keep your software up-to-date. Both of these pieces of malware leverage patch vulnerabilities. If you've patched, you have nothing to worry about.
  3. Finally, I've said it many times before, try browsing with Firefox and the NoScript extension. I won't try to convince you that Firefox is the most secure browser out there, but it is the only one that supports NoScript. NoScript blocks irritating JavaScript attacks like these ones by default.

-- Corey Nachreiner, CISSP

Copyright© 2009 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.