Experts: Gumblar attack is alive, worse than Conficker
Updated May 29 at 11:25 a.m. PDT with more details, quotes throughout.
Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.
Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.
Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.
Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.
The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.
"It is targeting IE users and Google searches," Landesman said.
The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."
The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.
ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.
In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Seriously.. fanboyism aside....no doubt that pre-Vista Microsoft didn't give a crap about security.. and left it up to 3'rd party software to clean up its mess. We pay for it every day in spam.
without knowing too much about this trojan, you cannot expect an 8 or 10 year old OS to prevent 3rd party vulnerabilities, from being exploited by a TROJAN. If there are holes in a 3rd party software (in this case Adobe's software), and the user actually downloads and runs a file that contains an exploit for such holes, then there is not much blame to be given to the OS. Lets not forget, this is how OS X was owned in the pwn2own contest, and that without even using a 3rd party program.
.. 1. reread my post
.. 2. If you are comparing the accomplishment of one uber geek to the literally millions of windows exploits.. you officially drank the punch. To deny Microsoft's past security mistakes is to literally stick you head in the proverbial hole. Microsoft did nothing about security until Vista.. and we all pay for it.. everyday.
Does that mean we shouldn't forget about the POS OS9 was?
"literally millions of windows exploits.."
Dictionary.com defines 'Literally' as: "actually; without exaggeration or inaccuracy: The city was literally destroyed. "
In order to maintain your credibiity, you have stated that there are litterally millions of windows exploits. Please list them. ALL of them. Anything less than 2 millikon exploits minimum to maintain your claim will be consdiered failure and FUD on your part. Your honor and reputation is on the line.
You made the claim, now it's up to you to back it up... linterally. :)
You know... i'm surprised at how hard it is to actually find a complete list. From what I could gather this morning.. there were around 97,467 windows viruses as of 2005.... and Symantic's website lists 4,048,820 total risks.
If you'd like, I can change my comment to "literally hundreds of thousands".. but that's just as bad.. and, according to Symantic's risk numbers.. it may be more 4 million.. depending on what you want to include.
@ monkey boy.. Yes, OS9 wasn't exactly refined.. but Apple did away with that OS how many years ago? What was your point?
"michael_j_x
.. 1. reread my post
.. 2. If you are......"
Sorry, but I assumed that since you are posting on this story, you were referring to this trojan as one of the "million Windows exploits" you mentioned. I merely pointed out that this is not an exploit you can reasonably attribute to the OS, and thus your posting was out of place, at least for this article.
97,467 windows viruses : I doubt all of them are purely OS viruses, or that all of them are pure viruses and not trojans/worms (Symantec tends to have these 3 as one thread).
4,048,820 : That is for the entire Microsoft product line, not just windows. This includes the massive office suite, live suite, server applications etc.
However, notice that the most significant virus released for windows require some kind of stupidity on behalf of the user (i.e. open a text file from an email, that had as title "i_love_u.txt.vba"...)
Tell an Apple fanboi that a MacBook is really just an overpriced pc, and prepare to go home with your teeth in a bag. Tell a Microsoft fanboy that perhaps Windows might be a tad better if it didn't suck so much, and you'll be beaten to death with your own severed leg.
There are computer game fanboys, movie franchise fanboys, operating system fanboys, cellphone fanboys...the list goes on. And on. And on. Seemingly, there are as many fanboys as there are things to be anally-retentive about. All all of them think their special thing is THE MOST IMPORTANT THING IN THE UNIVERSE.
penquinisto: "Seriously - when any 13-year-old in Eastern Europe can write a script or rig a webpage to pop a Windows box..."
penquinisto: "...and yet the Macs out-last the PC's, often with a longevity of 2-1"
kcotham: "I've seen so many of my colleague's computers running Vista riddled with more viruses and worms than are at the CDC lab in Atlanta."
kcotham: "I never said that Macintoshes (Mac OS X) don't crash, I said that it was exceedingly rare in comparison to Windows. "
applerocks1996 within hours of windows 7 beta release: "windows 7 is a pig with lipstick."
When confronted with their statements for proof, none has ever been provided. Penquinisto never found a single 13 year old, nor any facts on hardware failure rates. Kcotham has no clue how many viruses are in the atlanta CDC and never found any comparison on crashes. Applerocks still hasn't tried windows 7 beta. The overall common factor is these guys do not use windows, they just BS. That is what you call a fanboy.
No matter what platform/OS you're running don't install anything you aren't absolutely sure is legit. i.e. only install Acrobat or Flash directly from Adobe.com.
Use the latest web browsers as they do a pretty good job of letting you know when something phishy is going on. Firefox and the NoScript add-in is the best at keeping things secure. Sure, it's a pain at first, but it's worth the effort.
Backup important content so that in the event you do get compromised and have to reformat, you don't lose everything.
Don't fall for the BS that any one OS is more secure than another. All the OS's do a pretty good job of protecting you out on the information superhighway, but none of them can help you if you don't wear a seatbelt. :)
I don't often agree with Seaspray but yes, running as administrator/root is a very very bad thing.
After that, get a firewall and set it up. If your ISP has a firewall set up, get another one for your machine specifically.
Now, after steps 1 and 2, depending on your OS, find the best possible antivirus program available (in Windows I would suggest Avira AntiVir since it kept XP running for me with no reformatting for over 2 years). I would also suggest downloading Malwarebytes AntiMalware if you're running Windows and updating it manually at least once a week and running a scan.
Other than that, I can just tell you what I did with mine before switching to Ubuntu.
" The reason Linux isn't affected by this stuff, is it was designed (like Unix) from the ground-up to be a secure multi-user system, where admin authority is "only" granted for limited, specific reasons."
Then why do they release security updates? If it's so perfect from the ground up, then there would be no need to have any sort of software updates.... EVER.
Gotcha. :)
Don't you love it when the M$ fanbois show up and try to defend their pig in lipstick?
UAC - wow. M$ tried to mimic the elegant and simple user permissions in Unix, but as usual they screwed it up - intentionally. They made it annoying on purpose (supposedly to pressure the driver writers to write better drivers), which in itself dilutes it's effectiveness. Let alone the fact it just doesn't work. Go ahead, ask me to search M$'s website for you for proof. I won't see the challenge myself, but it will prove you can't even bother to look up facts for yourself (I have better things to do with my time than fight M$'s horrible website to prove you're wrong).
But then we get one that claims if Linux was so perfect it wouldn't need any updates ever. I guess that would be true if it was written by Gods.
You see, they love it when you confuse "vulnerabilities" with "exploits", because then they can claim the least secure OS ever devised by mankind really isn't that bad.
ROFLMAO!
Go ahead and show us your proof.
What a severe waste of time!"
Dan, Dan, Dan ... way to prove your ignorance dude. Nice job!
There's a difference between upgrading from one version to another and "installing a new OS". That's the difference between going from Windows to OS X to Windows to OS X and so on and so on and just going from XP to Vista to Windows 7.
By the way, even if I was installing a "new OS every six months", it would take less time than it does to maintain a Windows system.
I'd rather waste 1 hour every six months than even 2 hours a week doing system maintenance.
Seaspray0 . . . correct me if I'm wrong, but the last I read is there isn't a single Linux virus in the wild. Only some experimental prototypes that were ineffective for a number of reasons too long to go into in this post. And volume of installs (Win vs Nix) doesn't really matter as the percent of total compromised systems due to virus class software is . . . . nada. And by the way, just the top 3 Linux desktops (Ubuntu et all, Suse and Fedora) are on millions of PC's (not including Servers, Mainframes, Devices (phones, pims, musicplayers, ). Linux/Unix runs more types of hardware than "any" other OS (by far).
Vegaman: About Security - - all systems have vulnerabilities - from different methods and sources. Security updates and patches for Linux systems are targeted toward apps that require web access, or for Servers and Networks. That's a whole different ballgame than an average Joe running 2 or 3 stand-alone machines at home or college . So, my point is valid - no significant risk of a hosed system - - compared to Windows (which is why Microsoft continues to retrofit and re-design their systems to be more like Linux/Unix/Mac).
The best way to actually get a feel for the reliability and security difference between Win and Nix is to jump in the pool and try running a duel-boot system. You can run Win or Linux - - choice and freedom, that's what Ubuntu's really about. No more annoying nags from AV vendors or Commercialism up the wazoo . . ., no more DRM (digital restrictions management) .
Sounds like you're describing yourself. I've shot down every fallacy you've posted, providing links and quotes for you. Windows Vista is not more inherently secure than Linux; that has been demonstrated at CanSecWest. But it has proven vastly superior to your former love (the Mac), in that Vista is not being taken with drive-by downloads while the Mac is a sitting duck against them.
Interesting to see that you seem to have finally dropped the Mac OS bandwagon. Now you've picked up on the least functional OS in existence, one that can't handle heavy USB strain because of poor drivers, one that can't play 3D games with ATI chips because of poor drivers, one that can't operate a PSC's flatbed because of no drivers, one that has no apps to record screen and sound... etc.
Vista is adequately secure against remote exploits out of the box. And for prior OSes built on NTFS, Invincible Windows is always there. Anyone savvy enough to actually run Linux is more than savvy to employ a simple strategy to make sure their Windows OS is never compromised again. But you don't seem to care about that. You have a more subjective agenda; hate for a software company.
Sorry, but some of us have more needs than just surfing the Web and checking e-mail. We need an OS that facilitates our needs. *nix doesn't do that.
Since you mentioned using the actual search feature, is it necessary to use it to find the file? It would be a little absurd for the file to show in a search when it isn't showing up in Explorer, but it wouldn't honestly surprise me. I'm at a different computer at the moment, so I can't check.
C:\\Windows\System32 file
Arthritis in these fingers often causes typos. Sorry.
http://news.cnet.com/8301-1009_3-10257400-83.html?part=rss&subj=news&tag=2547-1_3-0-5
- by ggarndt June 4, 2009 2:38 PM PDT
- Another YAWIF (yet another windows "feature") . . . not
- Reply to this comment
-
(55 Comments)http://www.itwire.com/content/view/25484/53/