February 18, 2010 4:54 PM
- Text
"Gumblar" Computer Virus A Growing Threat
(CNET)
This story was written by CNET's Elinor Mills.
The Web site compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, as well as search the victim's system for FTP credentials that can be used to compromise additional Web sites.
The domain was changed to martuz.cn before both domains were shut down. And now, the malware is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
"Fortunately, it appears the name servers themselves are being shut down," the company said in a statement. "However, even after Gumblar-related attacks subside, cyber criminals will still possess the botnet of infected computers obtained via Gumblar."
ScanSafe contends that Gumblar is worse than Conficker, a worm that spreads via a hole in Windows, through removable storage devices and network shares with weak passwords, as well as disables security software and installs fake antivirus software.
Gumblar, which was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May, has more intrusive behavior--it intercepts and monitors Web traffic, as well as installs a data-theft Trojan that steals usernames and passwords from infected computers, ScanSafe said.
In addition, once a Conficker infection is remediated there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims, the company said.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:WindowsSystem32);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
The Web site compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, as well as search the victim's system for FTP credentials that can be used to compromise additional Web sites.
The domain was changed to martuz.cn before both domains were shut down. And now, the malware is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
"Fortunately, it appears the name servers themselves are being shut down," the company said in a statement. "However, even after Gumblar-related attacks subside, cyber criminals will still possess the botnet of infected computers obtained via Gumblar."
ScanSafe contends that Gumblar is worse than Conficker, a worm that spreads via a hole in Windows, through removable storage devices and network shares with weak passwords, as well as disables security software and installs fake antivirus software.
Gumblar, which was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May, has more intrusive behavior--it intercepts and monitors Web traffic, as well as installs a data-theft Trojan that steals usernames and passwords from infected computers, ScanSafe said.
In addition, once a Conficker infection is remediated there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims, the company said.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:WindowsSystem32);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
Popular Now in SciTech
- Retro Duo will play your old Nintendo games
- Scientists say online dating doesn't work
- Kids react to seeing iPhone for first time
- Anonymous breaks into Assad's server
- Facebook graffiti artist David Choe, from homeless to millions
- Apple faces $1.6 billion iPad trademark lawsuit
- Apple iPad 3 rumors resurface, sources say March release
- Ethical iPhone 5 petitions head to Apple stores
- iPad manufacturer under fire, Apple responds
- Apple iPhone 5 rumors, reports say June release
- Hackers release Symantec pcAnywhere source code
- Google Earth update erases undersea grid mistaken for "Atlantis"
- Shocking Stats on Texting While Driving
- Hackers tried to extort $50000 from Symantec
- PayPal makes eBay customer destroy $2,500 violin, seller left empty handed
- Pinterest secretly swaps links for profit
- Facebook required for Spotify account, here's a trick
Latest CBS News Headlines
on Facebook
on CBS News
- Pakistan: U.S. drone strikes picking back up
- Ahead of the Bell: Wholesale Inventories
- Canadian businesses sign $3B in deals with China
- Ahead of the Bell: Unemployment benefits
on Facebook
- Calif. surfer runs fastest-growing camera company
- Mo. teen gets life in prison for murder of 9-year-old girl
- "Person to Person": Bon Jovi behind the scenes
- Adele opens up about vocal cord surgery
on CBS News
