Wednesday, June 3, 2009

Thought the Conficker Virus Was Bad? Gumblar Is Even Worse.

If you thought Conficker was bad, meet Gumblar. If malware programs were comic book villains, Conficker would be Kingpin -- evil for sure, but really just a big bully. Gumblar on the other hand would be Galactus -- massive, all-powerful, evil, and extremely difficult to defeat.ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the scene in March, according to CNET. Originally, the attack spread through infectious code that was planted in hacked Web sites and then downloaded malware from the domain on to victims' computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code, Gumblar replaced the original material with dynamically generated Javascript (Web site code that is created on the spot instead of being completely determined beforehand -- a key element of Web apps like Gmail) that is much harder for security software to detect and remove.The evolved version also went about adding new domains to the list of sources for downloading its malware payload, including and, and began exploiting security holes in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for uploading files to a Web site) on a victim's computer, using them to infect additional Web sites.
Its not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for about 40 percent of all new malware infections right now. According to ScanSafe in just the first two weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been quick to clean up the infections as best they can, but, even if all the infected pages were removed, Gumblar would still have an army of infected PCs (see botnet) to inflict further damage. Already infected PCs could be used to hijack even more Web sites, by searching out logon information for Web servers and uploading their malicious payload. Compromised PCs can also be instructed to install Trojans that steal data and passwords.The danger posed by Gumblar is so great that ScanSafe suggests a full reformat and reinstallation of Windows to clean out an infection. It also suggests changing all of your passwords and usernames after securing your PC.Detecting an infection is complex, and not fool-proof. According to ScanSafe the best way to find out if your PC has been hijacked by Gumblar is to follow CNET's well laid out steps:
1) Locate the file sqlsodbc.chm in the Windows system folder (in Windows XP open My Computer then go to Local Disk (C:) --> Windows --> System32)2) Obtain the Sha1 of the installed sqlsodbc.chm using FileAlyzer, a free tool for obtaining the Sha1 of a file. If you've never heard of Sha1 before, don't panic. It's a sort of automatically generated digital identifier for files designed by the NSA, and used by security applications to confirm that a file is what it is supposed to be.3) Compare the obtained Sha1 code and the file's size to the list located on the ScanSafe STAT Blog.4) If the Sha1 and corresponding file size do not match with a pair on the reference list, it's a potential sign of a Gumblar infection.If you're still not sure if you're safe from Gumblar, or the method for detection has left you staring at the screen slack-jawed and sratching your head, then now might be the time to get on the phone with that tech-savvy cousin of yours and have him check it out. [From: CNET]

No comments: