Posted by: Robert Westervelt
FTP Credentials, Gumblar Trojan
Security Researcher explains how to detect the Trojan, but many victimized website owners don’t have the technical expertise to fix the problem.
Mary Landesman, a senior security researcher at security vendor ScanSafe writes about how to decode and identify backdoor PHP scripts – the kind of code associated with the FTP stealing Trojan, Gumblar.
The Gumblar and Martuz Trojans surfaced earlier this year and have been successfully stealing thousands of FTP credentials, gaining access to websites in order to set them up as an attack platform to host malware. We don’t know exactly how prevalent Gumblar is since most security vendors that track Trojans fail to provide any actual numbers, but it’s safe to say that Gumblar continues to spread at high enough levels to warrant concern. ScanSafe, Symantec, McAfee and others have warned that thousands of websites have been compromised by Gumblar to create a relatively strong botnet.
In addition to checking log files for any abnormalities, Landesman said site administrators can be more proactive:
1. Search for unexpected PHP files or for PHP files unexpectedly modified in the past month (sort your file listing by date);
2. Look for a corresponding /s subfolder found in the same location as the suspicious PHP file;
3. Check all folders on the site, as Gumblar may install itself to multiple locations.
The problem is that many of these websites are small, may be abandoned or are run by people with little technical expertise. I’ve spoken to several other security researchers who have attempted to contact some of the owners of the infected websites. Some of the site owners didn’t even realize they had a website let alone one that was being used as an attack platform. Others didn’t have the technical expertise to take any action.
This is a growing problem and one that may need to be solved by the registrars that are in the business of selling domains to anyone with a credit card. Who is responsible here? Obviously that wasn’t clear enough when many of these website owners signed up to establish a Web presence.