Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
Most of this page uses content from Wikipedia. The original article was at Gumblar. The page may have contained some inaccurate or outdated information, so please rewrite some parts to avoid plagiarism.
The list of authors can be seen in the page history. As with Malware Wiki, the text of Wikipedia is available under the Creative Common Attribution-ShareAlike 3.0 License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.

MultipleIssues.png This page has multiple issues. These issues most likely include issues with references and manual of style violations. Please help Malware Wiki by correcting these issues.

CreatorHu Wenxiang(?)
DateMay 2009
Programming LanguageJavaScript
PlatformMicrosoft Windows
File Type.EXE
This box: view  talk  edit

Gumblar is a malicious JavaScript trojan file that redirects the user's Google searches and then installs rogue security software. Also known as Troj/JSRedir-R, this botnet first appeared in 2009. Gumblar infections have been widely seen on older Windows PCs. The virus would take websites and replace them with malicious links.


The malicious site sends the visitor an infected PDF that is opened by the visitor's browser or Adobe Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. Newer variants of Gumblar redirect users to sites running fake antivirus software.

The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. Gumblar also enables promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.


Using passwords obtained from site admins, the host site will access a website via FTP and infect that website. It will download large portions of the website and inject malicious code into the website's files before uploading the files back onto the server. The code is inserted in any file that contains a <body> tag, such as HTML, PHP, JavaScript, ASP and ASPx files. The inserted PHP code contains base64-encoded JavaScript that infects computers that execute the code. In addition, some pages may have inline frames inserted into them. Typically, the iframe code contains hidden links to malicious websites.

The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.

Gumblar variants

Different companies use different names for Gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shut down in May 2009. However, many badware variants have emerged after that and they connect to other malicious servers via iframe code. Some examples are Martuz.cn, Troj/JSRedir-R, and iframe.

Gumblar resurfaced in January 2010, stealing FTP usernames and passwords and infecting HTML, PHP and JavaScript files on webservers to help spread itself. This time it used multiple domains, making it harder to detect/stop.