In the recent years, the intensity of Virus Attack has just doubled. The severity of those attacks keep on changing depending on the ability of the virus to penetrate our networks and PCs and utlilize their resources.
Not all antiviruses are able to detect and prevent these viruses or trojans or bots at their arrival. Most go untraceable and undetectable and only after major loss of data, the viruses are detected.
We cannot kill the viruses before the Antivirus Softwares release the patches, but we could prevent those attacks by following a few steps :
1. Be sure to install updates for Microsoft® products
Using Microsoft Update with automatic updating is a strong – and simple to implement – first line of defence against security threats. The Microsoft Update site scans your computer and gives you a list of updates that are relevant to your computer and its configuration.
2. Install the latest versions of Adobe Reader and Flash Player
The viruses like Gumblar takes advantage of common Adobe Reader, Adobe Acrobat, and Adobe Shockwave Flash Player vulnerabilities, which lead to the download of additional malicious files. Keeping these programs up-to-date can help ensure you’ve got the latest and most secure versions available.
3. Create and maintain strong passwords
Keeping and using strong passwords, and changing them regularly, is a very important step in keeping your online accounts, computer files and personal information secure. Ideally, passwords should be long and use the entire keyboard, not just the letters and characters you use or see most often.
4. Invest in quality antivirus and antispyware protection
While it isn’t a 100% guarantee of security, your risk of virus infection is significantly lower when you use a comprehensive antivirus protection program. Without some sort of protection, you are virtually guaranteed to become a victim of viruses, spyware and spam.
5. Don’t click on unknown links or attachments
Never click on any unfamiliar links embedded in an e-mail, or open attachments from unknown senders. And check for anything unusual even in links you do recognise; slightly altered domain names could indicate that a site has been hijacked.
6. Download files only from trusted sites
You should only download files from known, well-established sources. Never download anything if you’re not certain what it is. When in doubt, don't download the file to your computer at all: download it onto an external drive or USB stick, and then check the files with antivirus scanning software.
Tuesday, April 20, 2010
Gumblar - The latest Global WebThreat
The newest virus to attack the networked Computers is the "Gumblar” or “Geno” virus which is the latest high-profile virus to infect computers.
According to the IBM Internet Security Systems website, Gumblar is a botnet that infects traditionally non malicious web servers so as to infect the computers of users who have visited infected websites. Gumblar computer virus attacks PCs through vulnerabilities in some versions of the Adobe’s PDF reader and Flash player software.
MODUS OPERANDI :
This virus is a particularly insidious one, with a multi-phased attack. After infecting a machine, Gumblar installs a series of malware programs, including a small application capable of stealing FTP credentials. It can gain control of an entire website and freely operate it.
Gumblar also monitors the infected user’s online activity, and waits for the user to conduct Google searches. The malware hijacks the search results, replacing them with any link of its choice and further infecting the computer with malware. The virus also installs a fake antivirus program known as "System Security 2009", and disables any legitimate security software.
Detection of the gumblar malware may be done by identifying malicious scripts. Web pages that are infected by the gumblar PC virus have a script that looks like this:
Infected websites have their own modification of the script but these modifications have common parts that can be identified as the gumblar . cn script.
US-CERT has already issued a statement about the Gumblar malware and encourages users to use updated software and antivirus programs.
Unmaskparasites.com provides gumblar remove instructions and recommends scanning for spyware using programs such as the malware removal tool Malware Bytes. Remove all the malicious codes that have been installed in the server files (.html, .php, .js, etc.) and change FTP passwords in a clean computer.
Other remedial actions which the user can take are :
1. Be sure to install updates for Microsoft® products
Use Microsoft Update with automatic updating from the site Microsoft Update.
2. Install the latest versions of Macromedia Flash and Adobe Acrobat Reader.
3. Maintain STRONG Passwords
Use passwords which are ALPHANUMERIC in character and should not be less than 8 characters long.
4. Have strong Antivirus and update them regularly.
5. Avoid unknown links from sites.
PATCHES :
To fix this you could use these patches:
1. For Adobe Reader : http://www.adobe.com/support/security/
2. For Adobe FlashPlayer : http://get.adobe.com/flashplayer/
DETECTION :
Only Antivirus to detect the Virus until a few days ago was AVAST. You could download the latest version at : http://www.avast.com/eng/download-avast-home.html
Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database – it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories.
On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).
When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
REFERENCES :
http://blog.scansafe.com/
http://www.iss.net/threats/gumblar.html
http://www.guardian.co.uk/technology/2009/may/22/gumblar-google-malware
http://www.cbsnews.com/stories/2009/05/29/tech/cnettechnews/main5047992.shtml?source=RSSattr=SciTech_5047992
According to the IBM Internet Security Systems website, Gumblar is a botnet that infects traditionally non malicious web servers so as to infect the computers of users who have visited infected websites. Gumblar computer virus attacks PCs through vulnerabilities in some versions of the Adobe’s PDF reader and Flash player software.
MODUS OPERANDI :
This virus is a particularly insidious one, with a multi-phased attack. After infecting a machine, Gumblar installs a series of malware programs, including a small application capable of stealing FTP credentials. It can gain control of an entire website and freely operate it.
Gumblar steals FTP passwords from web designers and site manager, then uses them to connect to website servers, and edit .html .php and .js pages. Plus add a few extras too. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors. Once Gumblar has infect a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. Anyone browsing to an infected website can pick up the virus. It utilises vulnerabilities in Adome Flash and Adobe Reader so install itself on a pc.Once it infects a PC, the gumblar virus silently redirects the victim’s google search results to websites that injects malwares. Reportedly, the gumblar virus targets google users and the updated version is said to have been tweaked to more efficiently infect users of the Google Chrome browser.
Gumblar also monitors the infected user’s online activity, and waits for the user to conduct Google searches. The malware hijacks the search results, replacing them with any link of its choice and further infecting the computer with malware. The virus also installs a fake antivirus program known as "System Security 2009", and disables any legitimate security software.
DETECTION :
Detection of the gumblar malware may be done by identifying malicious scripts. Web pages that are infected by the gumblar PC virus have a script that looks like this:
Infected websites have their own modification of the script but these modifications have common parts that can be identified as the gumblar . cn script.
REMEDY :
US-CERT has already issued a statement about the Gumblar malware and encourages users to use updated software and antivirus programs.
Unmaskparasites.com provides gumblar remove instructions and recommends scanning for spyware using programs such as the malware removal tool Malware Bytes. Remove all the malicious codes that have been installed in the server files (.html, .php, .js, etc.) and change FTP passwords in a clean computer.
Other remedial actions which the user can take are :
1. Be sure to install updates for Microsoft® products
Use Microsoft Update with automatic updating from the site Microsoft Update.
2. Install the latest versions of Macromedia Flash and Adobe Acrobat Reader.
3. Maintain STRONG Passwords
Use passwords which are ALPHANUMERIC in character and should not be less than 8 characters long.
4. Have strong Antivirus and update them regularly.
5. Avoid unknown links from sites.
PATCHES :
To fix this you could use these patches:
1. For Adobe Reader : http://www.adobe.com/support/security/
2. For Adobe FlashPlayer : http://get.adobe.com/flashplayer/
DETECTION :
Only Antivirus to detect the Virus until a few days ago was AVAST. You could download the latest version at : http://www.avast.com/eng/download-avast-home.html
FIX IT :
Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database – it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories.
On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).
When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.
MUST READ THE REPORT :
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
REFERENCES :
http://blog.scansafe.com/
http://www.iss.net/threats/gumblar.html
http://www.guardian.co.uk/technology/2009/may/22/gumblar-google-malware
http://www.cbsnews.com/stories/2009/05/29/tech/cnettechnews/main5047992.shtml?source=RSSattr=SciTech_5047992
Subscribe to:
Posts (Atom)
