Comments on: 'Gumblar' attacks spreading quickly

The malicious code known as "Gumblar" or "Troj/JSRedir-R," which infects Web sites, was first detected in March. Defying security experts' expectations, it is growing rapidly instead of dying out.

[longroy]

..Question: If China's governing forces are so good at blocking content from being viewed by their own people, why the hell can't they stop all these trojans being delivered from .cn based websites?? Unless... ...aaahhh (light bulb)!

[gertruded]

Never once does the writer say that this is a windows problem.

IT IS A WINDOWS PROBLEM, IT IS A WINDOWS PROBLEM.

[man_w_balls]

don't you know that all computers are Windows?

OK, so they're not. Some people really don't know any different though, and it's sad.
But some of us will have working computers no matter what virii are unleashed.

[catch23]

>> attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player
Learn to read, you gutless shill. Any OS running these programs can be targeted.

[SIGHUP]

Actually he said it was an Adobe and Google problem. But good job putting out the first flamebait. Maybe you should read the entire article next time.

[Perry_Clease]

"Actually he said it was an Adobe and Google problem. But good job putting out the first flamebait. Maybe you should read the entire article next time."

I am staying out of the Windows flame war, but from what I read on a number of website the gumblar is more than an Adobe and Google problem From ComputerWeekly.com:

"Gumblar seeks to identify old, unchecked vulnerabilities on a PC that browses a hacked site, installing malware where holes are discovered. Successful attacks install malware that manipulates Google search result pages when viewed by Internet Explorer, presenting victims with links to fraudulent sites.

For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," internet security company ScanSafe reports.

The Trojan could then allow cybercriminals control of the victim's computer, leading to myriad security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise - a common malware propagation tactic."

[alegr]

The virus compromises PHP websites. Most of them use Apache.

[Dalkorian]

"The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said."

The apologists shine spotlights on the Acrobat and Flash connection, trying to distract you from the fact that it's trying to mess with your search results (Google) ... when using Internet Exploder.

Try getting IE on anther platform other than winblows. Ergo, it's a winblows problem. Currently.

In the apologists defense, this apparently is a trojan horse that's exploiting third party applications to get in the door. No platform is invulnerable to this kind of attack, just because it's currently targeting winblows doesn't mean it couldn't be tweaked to target Linux or OS X instead. Trojans work by fooling the user into installing them and no OS can protect the user from him/her self.

[gggg sssss]

and Macs dont use ftp or acrobat reader or javascript?

[baconstang]

More like very few Mac users use IE. If they did and went to the sites and downloaded the Trojan, and even if they did agree to install the 'application downloaded from the internet', there is nothing in the article that says it was written to take over an OSX machine.

[Perry_Clease]

"and Macs dont use ftp or acrobat reader or javascript?"

We use those programs, but we don't use Explorer

[baconstang]

The 'gertruded' one is right, it IS a Windows problem. Besides if affected a single Mac, it would have been in the headline.

[trindnk]

I've seen 5 different variants by these folks on several different servers (friends, companies and my personal host). They are using 3 different URLs in iFrame injections and have started using a couple of different Javascript injections as well. They get in through FTP accounts...so beef up your FTP passwords and change them often. Once they get on the server and can display their content in your pages...they post Flash Files (which give them root access to the machine) and start embedding trojan, malware and spyware. It gets worse the longer you leave it up and they start putting code in smarter places until they eventually just start adding code at the end of your files...oh, and don't look for change dates on your files. They are truncating your existing files and saving with the old date and files size, so it looks like nobody has been there.

[Recklesslife85]

My website has contract the Virus. Been driven me insane untill I found out it was this!!! In the middle of cleaning up the problem.

Honesly guys do all you can to stop this from happening to your website as its a real pain.

[McNetter]

So it appears Gumblar was downloaded on a Mac of ours. It doesn't appear to show any adverse affects. But when we started using that machine to access webservers, Gumblar got into these remote servers and infected multiple websites. Affected sites apparently crashed user's computers (only HP products for some reason) and they had to have them revived by service techs. Which I'm paying for. I need to make a report about our situation. Any feedback on how this Gumblar can get from a Mac to a remote server yet not be evident on the host Mac?