Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Although browsers like Firefox will alert users when they are being redirected from a website, the practice is so common that most users sanction it without a second thought, much as they would when they receive a notice to upgrade a browser extension or plug-in.

The original Gumblar redirected its victims to a couple of nefarious sites, but now, White Hats say, the scamgram is pointing gulls to thousands of servers in more than 200 countries. In the United States alone it’s estimated that more than 7200 servers are spreading Gumblar. A favorite target of Gumbsters are servers with the domain extension .edu or .gov.

The latest version of Gumblar appears to be departing from its iFrame roots, according to security experts. Rather than redirecting muggins to a rogue site, like Gumblar.cn, it’s planting its sickening scripts and felonious payloads directly on a compromised host. That makes fighting the malware that much harder. Instead of focusing on an attack vector consisting of one or two servers, they now have to cope with one made up of thousands of infected servers. Moreover, the scripts are camouflaged so they match the existing file structure at a website and heavy obfuscation is used to foil existing security measures.

According to one malware watcher, Gumblar’s script modifies this key in the Windows Registry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32

The alteration ensures that the malware will load any time a browser is launched.

The malicious program also alters sqlsodbc.chm, a default file found in the WindowsSystem32 directory on Windows XP

Security experts report that the latest strain of Gumblar is fond of infecting Adobe Reader and Flash Player files. They add that infections are so widespread that some PC vendors are finding their support lines inundated with calls about erratic computer behavior that is symptomatic of the cybercancer. That behavior includes spontaneous reboots and failure to reboot completely. In the case of an incomplete startup, the computer’s screen will remain black with only a mouse pointer displayed.

Gumblar’s behavior is leading some security researchers to believe that it is a “botnet for hire” designed to achieve a variety of ends for a variety of Web rats. In some cases, the badapp is merely redirecting traffic to a rogue site to collect page views and collect advertising revenue through click fraud. In other cases, it’s diverting Websters to sites which will infect a target’s system with malware.

Making sure a system’s operating system’s security patches are up to date and an organization’s intrusion prevention signatures  are current can provide some measure of protection from Gumblar, but vigilence when those redirect messages pop up in a browser window will go a long way in thwarting the malware’s malevolent aspirations.