본문 바로가기
IT 보안소식

Kaspersky Lab, Gumblar 공격 최근 2월달 다시 증가

by 잡다한 처리 2010. 3. 10.
반응형

세계적인 보안회사인 카스퍼스키(Kaspersky Lab)에서 지난 2월 Gaumblar의 공격이 다시 증가하고 있음을 알리고 있다.
실제로 여러 사이트에서 Gaumblar에 관련되어 변조 된 사이트들도 많이 발생하고 있다.

Gaumblar 악성코드는 2009년 올해 4월에 발생 한 바이러스로써, 10월초부터 12월 현재까지많은 변종파일이 발견되고 있다. 
다른 보안업체에서 Daonol, Gadjo, Kates 탐지명으로 알려져 있다.

해당 악성코드는 SQL_Injection 공격에 변조 된 홈페이지 접속 시 Drive-by download 형태로 전파되고 있으며, 사용자PC의 취약점을 확인하여 다운로드 되어 동작 한다.

인터넷 익스플로러, PDF, SWF 취약점을 중점으로 감염 되며, 변조 된 사이트 접속 시 악성스크립트에 의해 다운로드 된 PDF 또는 SWF 파일에 의해 EXE파일이 드롭되어 실행되며, 실행 된 EXE는 DLL을 생성하고 레지스트리에 등록되어 부팅 시 자동시작 된다.

기존에 발견 된 Daonol의 경우 Windows 부팅 시 로그온 화면 대신 검은바탕화면이 보이는 버그가 있었으나, 현재 유포되는 Daonol에는 버그가 수정되어 있다.

따라서 일반 사용자들은 사용중인 보안프로그램을 항상 최신엔진으로 유지하는것이 좋으며,
당분간은 안전한 사이트에만 접속을 하는 것이 좋다.



Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software including viruses, spyware, hacker attacks and spam, reports that the script Trojan-Downloader program, Gumblar, has made a resurgence to dominate the Internet threat landscape throughout February 2010.

During last month, Kaspersky Lab recorded a dramatic surge in the variant, Gumblar.x, with 453,985 infections recorded, following a disappearance from the threat landscape altogether in January. Gumblar hit the headlines at the end of May 2009 when it went straight to the top of Kaspersky Lab’s Top Twenty ranking of threats on the Internet. In October, the company reported that new variants of the program (Gumblar.x and Gumblar.w) had been detected, using more sophisticated technologies than their predecessors, with the number of attempted downloads recorded at 740,836.

For the second consecutive month Trojan variants continue to dominate the online threat landscape. Kaspersky Lab expected a further resurgence of Gumblar and this new attack didn’t take long to materialise. However, this time the black hats haven’t changed their approach in any significant way and have simply been gathering new data that can be used to access websites prior to infecting them en masse.

The early incarnations of Gumblar demonstrated how Cybercriminals are able to take old attack methods and rework them. Initially, the program would contact dedicated malicious servers to fetch more malware. This evolved and later versions of Gumblar that are downloaded as password stealers, used to compromise legitimate websites.

The number of websites infected by Gumblar.x

Another Trojan-Downloader program worthy of note for its high level activity during February is Pegel, which grew almost six-fold throughout the month and has now reached epidemic proportions since being first detected in January. This program has similarities to Gumblar, in that it also infects perfectly legitimate websites. A user that visits an infected web site is redirected by the malicious script to a Cybercriminal resource and to ensure users don’t suspect anything, the names of popular websites are used in the addresses of malicious pages.

From the reports of the first two months of 2010 it is clear that Kaspersky Lab’s forecast of more sophisticated malware are being held to be true.

Top twenty ranking for February 2010 - Malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.


Position Change in position Name Number of infected computers
1    0 Net-Worm.Win32.Kido.ir   274729  
2    1 Virus.Win32.Sality.aa   179218  
3    1 Net-Worm.Win32.Kido.ih   163467  
4    -2 Net-Worm.Win32.Kido.iq   121130  
5    0 Worm.Win32.FlyStudio.cu   85345  
6    3 Trojan-Downloader.Win32.VB.eql   56998  
7    New Exploit.JS.Aurora.a   49090  
8    9 Worm.Win32.AutoIt.tc   48418  
9    1 Virus.Win32.Virut.ce   47842  
10    4 Packed.Win32.Krap.l   47375  
11    -3 Trojan-Downloader.WMA.GetCodec.s   43295  
12    0 Virus.Win32.Induc.a   40257  
13    New not-a-virus:AdWare.Win32.RK.aw   39608  
14    -3 not-a-virus:AdWare.Win32.Boran.z   39404  
15    1 Worm.Win32.Mabezat.b   38905  
16    New Trojan.JS.Agent.bau   34842  
17    3 Packed.Win32.Black.a   32439  
18    1 Trojan-Dropper.Win32.Flystud.yo   32268  
19    Return Worm.Win32.AutoRun.dui   32077  
20    New not-a-virus:AdWare.Win32.FunWeb.q   30942  

Top twenty ranking for February 2010 - Malicious programs on the Internet, reflecting the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.


Position Change in position Name Number of attempted downloads
1    Return Trojan-Downloader.JS.Gumblar.x   453985  
2    -1 Trojan.JS.Redirector.l   346637  
3    New Trojan-Downloader.JS.Pegel.b   198348  
4    3 not-a-virus:AdWare.Win32.Boran.z   80185  
5    -2 Trojan-Downloader.JS.Zapchast.m   80121  
6    New Trojan-Clicker.JS.Iframe.ea   77067  
7    New Trojan.JS.Popupper.ap   77015  
8    3 Trojan.JS.Popupper.t   64506  
9    New Exploit.JS.Aurora.a   54102  
10    New Trojan.JS.Agent.aui   53415  
11    New Trojan-Downloader.JS.Pegel.l   51019  
12    New Trojan-Downloader.Java.Agent.an   47765  
13    New Trojan-Clicker.JS.Agent.ma   45525  
14    New Trojan-Downloader.Java.Agent.ab   42830  
15    New Trojan-Downloader.JS.Pegel.f   41526  
16    Return Packed.Win32.Krap.ai   38567  
17    New Trojan-Downloader.Win32.Lipler.axkd   38466  
18    New Exploit.JS.Agent.awd   35024  
19    New Trojan-Downloader.JS.Pegel.k   34665  
20    New Packed.Win32.Krap.an   33538  

댓글