Gamburl Gone Wild


We’re seeing plenty of reports for a JavaScript redirector malware family that we call Gamburl; previous reports have called it Gumblar or Redir.


These attacks seem to be coming from legitimate Web sites with pages that have been modified to contain this malicious script. So even if you’re visiting a Web site that you trust, there’s still the possibility that you may be a victim of these so-called “drive-by attacks”.


When a user visits a site containing a Gamburl script, the browser will be redirected to a specific Web site that contains a slew of exploits and other malware. As of this writing, Gamburl is known to redirect to the following Web sites:


gumblar.cn
martuz .cn


Once connected to the above sites, Gamburl tries to download other malware into the system. From what we have observed, these malware are mostly backdoors, PDF and Shockwave exploits. However, some of the observed downloaded malware are variants of the Win32/Daonol family. Examples of MD5 of Daonol seen are 7de29e5e10adc5d90296785c89aeabce and 2131112053ed144c46277b9024bcf39f. Daonol trojans are capable of preventing access to security Web sites, and redirecting searches to sites hosting other malware. Daonol is also capable of stealing information, such as FTP credentials, and placing the information in a file in the Windows system folder called sqlsodbc.chm. Note that a file named sqlsodbc.chm exists by default when you install Windows, and so is overwritten if your system has been infected by Daonol. This may be a symptom of Gamburl/Daonol infection. In case you suspect infection, you might want to check the list of some the unique hashes and file size of a clean sqlsodbc.chm.









































































































































































































































SHA1 Hash


FileSize (Bytes)


005AAD8912A62127A2F416AA9FD089000D24851A


97892


03C9CD0D8E90DD8754F8488A085359C818A28A90


97053


0DB4AB7E18991BF64139E7078249679098C85F2C


97758


17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A


97176


1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5


49771


236F25115C31DBFEB11D9BF12B620266F46BA041


96647


2667D90C7B0CBCC212B8C9143C28C7AD5105BE49


97746


2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC


98124


2915AA45C3FAF60137402270F0C915C0F5CA2CD1


96945


2C73542A1598AEA03F7927ECF8F7156106037D67


96975


2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93


95765


2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D


95739


309FF9840F53DFF406EC580063A9975224F626DE


97015


30AE3FF04C8D486A5BE77ACB0939B06AF626F17D


48693


328BB23CEF7816035E32B3BF28A9F9606B9FF255


96851


34F96E4305B6E28B966F15E9845748E44AF35762


97393


38A8E15E68D64670016E62D6D2150F812CD31298


97250


44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF


97369


487AA6CDB994E1855B33C1F3B0BE522C36540E56


97216


540F94FA630BB64529F656C6EAA4F48A3F87756D


98700


5690D97E9F9E913431AA9453D0185F2665A713CC


97035


583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D


98100


58BC35673C8B1F751CD0584A6914740B2F3DCAAE


96705


5A658A36EF43147CB3F1DBC4276EA82A239BF8FA


49345


5FBA738B9698AA61645CFFE3AD95192C4BACDC49


97260


61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321


49648


62ABAB09DFD971A90C2030BE44778206991CE2D6


97268


6441922698A8CD80A2FC0AE15EFDAF0A0208F50B


96941


694BDB08101AD5C18BB5B3425EE01073320B8D8E


97667


6BE7E7A20D2AB835C78EB8F3759C304888B86BD4


97304


6DB4B4F065610CAE100FBDB850AFC9F16C76AB65


98753


6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2


96827


752211F65B693C721E27785FCC6C74E9B71997E9


96903


7E98241E1B21361CC02DC88EB57C9BB9CF1F4239


49092


82B79C07941775B6072D97D5D033E45E8D3C6FDF


98469


87230AD4C2646376B819DDA4963DD2C49BC50D7A


46133


8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE


97640


91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD


98074


9625698340941EB6D519A219396296E45FDCF7DB


36253


97586996280F2A61AE5193DB827C44300BF27FCD


96675


9811B4A14E3196AAC93DF7CE2F50C84030AA7D13


97232


9BA779EE746DCC5A44B30BDA6436E07997236E52


97146


9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC


94792


9F7658F361D9F1398DD90707EDE01F0032991946


48475


A09564B76C13C8470A44509A17B4B6023295A361


98770


A310EF2F35A8670F6C4B7872073F94764C23FA08


48095


A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A


95800


ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9


97740


B194BB244FF0FD101DCDA79CD8FFC8D33C392D13


94808


C6CD44574CC0F5BAC24DE85B0933A132B3A0D684


50004


C97875A6819A3F675ABE42C8BB870E191102C94C


98724


C98D1FF5D9E1D8366CF130899BC210EBE54E77F8


98955


CA58E7CA1EE50FB8EB7428064DFE84381EEDB453


95771


CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70


101112


CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7


48343


D6ED920D3D0ACEB52930A753256A21D43AE1899E


97087


D7E22080BF67CA6AE29BB12A51E865C22DDA48F7


101136


DA27CBA986161938C5086BB5C94FBBAB523B1F37


97791


DF025689B1E2E3C813969828AF26573BA4E2F23A


98800


E42C0D9D4669D41F8AB45F31F12B405489F39AFD


95808


E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6


48401


E634C31114AE87D026812748E791402D69C6D996


97949


E667F70144423A645C6BC67CE01424F720594320


95909


E79A39606A2067120AEF63431F2C073B4B9298DC


97200


E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6


96965


EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B


97662


EB60EEFA1AD57FA27E661032329AD9AF5FD243DA


97033


ED9E18A7E5EE245B77CFB4FC560013849072C943


96927


EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2


47721


F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A


49249


FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA


100493


FAEFB399B9FFEBA156D31E2A0DE4195793300343


98052


FBDD32ED13D27E4102621E1067FDF3634F33B2C3


50727


FBFFF74687F608887E277068ED0390BD04CCF506


98977


FEDDBA02158D0425E5895439663C0481CA3911E6


94850


However, users should also note that whatever malware is being served can be changed by the malware authors at any time.


Javascript sourcecode


This is a screenshot of part of the Gamburl code. It attempts to determine the script engine version of the browser being used. Based on this information, the malicious site could serve a variety of targeted exploits.


As always, we recommend that you use antivirus software and make sure that you have the latest signatures. Microsoft Antivirus customers are currently protected against the Gamburl family with detections Trojan:JS/Gamburl.A and Trojan:JS/Gamburl.gen!A.


Because this threat also makes use of a lot of exploits for other applications we would also like to remind users to always update all their software to the latest versions.


Thanks to Jonathan Poon and Ian McMillan for providing us information regarding sqlsodbc.chm.


-Elda Dimakiling & Jireh Sanico

Comments (0)