Thought the Conficker Virus Was Bad? Gumblar Is Even Worse. by Terrence O'Brien — Jun 2nd 2009 at 7:19AM http://www.switched.com
If you thought Conficker was bad, meet Gumblar. If malware programs were comic book villains, Conficker would be Kingpin -- evil for sure, but really just a big bully. Gumblar on the other hand would be Galactus -- massive, all-powerful, evil, and extremely difficult to defeat.
ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the scene in March, according to CNET. Originally, the attack spread through infectious code that was planted in hacked Web sites and then downloaded malware from the gumblar.cn domain on to victims' computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code, Gumblar replaced the original material with dynamically generated Javascript (Web site code that is created on the spot instead of being completely determined beforehand -- a key element of Web apps like Gmail) that is much harder for security software to detect and remove.
The evolved version also went about adding new domains to the list of sources for downloading its malware payload, including liteautotop.cn and autobestwestern.cn, and began exploiting security holes in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for uploading files to a Web site) on a victim's computer, using them to infect additional Web sites.
Its not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for about 40 percent of all new malware infections right now. According to ScanSafe in just the first two weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been quick to clean up the infections as best they can, but, even if all the infected pages were removed, Gumblar would still have an army of infected PCs (see botnet) to inflict further damage. Already infected PCs could be used to hijack even more Web sites, by searching out logon information for Web servers and uploading their malicious payload. Compromised PCs can also be instructed to install Trojans that steal data and passwords.
The danger posed by Gumblar is so great that ScanSafe suggests a full reformat and reinstallation of Windows to clean out an infection. It also suggests changing all of your passwords and usernames after securing your PC.
Detecting an infection is complex, and not fool-proof. According to ScanSafe the best way to find out if your PC has been hijacked by Gumblar is to follow CNET's well laid out steps:
1) Locate the file sqlsodbc.chm in the Windows system folder (in Windows XP open My Computer then go to Local Disk (C:) --> Windows --> System32)
2) Obtain the Sha1 of the installed sqlsodbc.chm using FileAlyzer, a free tool for obtaining the Sha1 of a file. If you've never heard of Sha1 before, don't panic. It's a sort of automatically generated digital identifier for files designed by the NSA, and used by security applications to confirm that a file is what it is supposed to be.
3) Compare the obtained Sha1 code and the file's size to the list located on the ScanSafe STAT Blog.
4) If the Sha1 and corresponding file size do not match with a pair on the reference list, it's a potential sign of a Gumblar infection.
This year, there has been a large increase in the number of legitimate websites infected by a so-called "iframe" threat - a type of malicious script.
Several prominent websites have come under attack from hackers who have modified the underlying code so that malware can be distributed to unsuspecting users who visit the site. When a user visits an infected site, an invisible connection is established to a remote server, which can then attempt to install malware on the user's computer. The intention could be to generate spam, or possibly something more sinister, such as stealing personal information e.g. Bank account or credit card details.
In 2008, several high-profile websites were targeted, including USA Today, ABC News, Target and Wallmart and simply visiting one of these infected websites could have resulted in the user's computer being infected. More recently, a number of websites have been detected by avast! as being infected by a malicious script called "HTML:Iframe-inf". Among the websites affected are a number of Government sites in the US, including the United States Forest Service, the US International Trade Commission and the websites of several embassies around the world. Many popular travel and recreational websites have also been compromised.
Avast! Antivirus will detect and block access to any website that is infected by this threat and will display a warning that a virus has been detected. If avast! displays this warning, you should discontinue your attempt to connect to that particular website and either report the infection to the relevant party so that it can be removed, or post a message on the avast! forum in the section Viruses and Worms so that it can be investigated to determine whether the website is really infected. Do not ignore this warning, even if you believe the website to be a reputable one - the recent attacks prove that no websites are immune to infection.
Thanks to one of our regular forum users who reported the infection to the organization concerned, the website of the US International Trade Commission was quickly repaired and the infection removed, however, potentially, many more websites remain infected.
To minimize the risk of falling victim to such an attack from this, and other similar threats, it is essential that your Antivirus software is kept up-to-date. We recommend that your avast! Antivirus is set to update itself automatically, or alternatively, that you perform regular manual updates, ideally daily.
Alwil Software would like to thank its regular forum users for their help in this particular case and for the valuable support they continually provide to the rest of the avast! user community. [www.avast.com]
12 Sneakiest Computer Viruses by Dan Reilly, posted Oct 9th 2008 at 2:00PM http://www.switched.com
The Storm Worm This virus is one of the nastiest and most prolific out there. It's a back door Trojan - malicious software disguised as a harmless program - that is spread to PCs via fake news and holiday greeting card e- mails. Once infected, your computer becomes part of a botnet, a network of computers running and spreading the malware at an alarmingly fast rate -- so essentially your computer not only slows down, but also serves as a perpetrator of the crime. How to protect yourself? Don't open any files in e-mails from people you don't know, turn on your e-mail program's spam prevention tool, and make sure your virus protection software is up-to-date.
Mal/Hupig-D That Obama sex tape e-mail we told you about contains this devious virus. Mal/Hupig-D runs in the background of Windows and steals your passwords, credit card information, and the like. Virus scanners look for it now, but rely on your common sense first and don't click on that e-mail. If you're worried that your computer might be infected with it, don't enter your passwords or credit card information until you get it looked at by a computer professional.
OSX/Hovdy-A Sorry, Mac users, but you're in danger too. This Trojan affects computers using Mac OS X 10.4 or 10.5, and lets the bad guys use your Apple Remote Desktop agent for a host of disturbing activities. The virus can be used to monitor your keystrokes, transmit passwords, turn on file sharing, take screen shots, and, creepiest of all, take pictures with the built-in iSight camera -- all unbeknown to you! It's spread through downloads that you have to agree to, so if you stay sharp, avoid sketchy utilities, and keep your anti-virus protection current, you'll be fine.
The Facebook Trojan, aka Troj/Dloadr-BPL Facebook users have probably seen it happen – a friend posts a link to a Web site on other people's walls, urging them to see a funny video or find out who has a crush on them. Just as with spam e-mails, the link takes you to a bogus site that tells you to download a newer version of Flash, which turns out to be Troj/Dloadr-BPL. This virus then lets hackers take over your computer to spread spam and malware. Basically, criminals are using Facebook because they think users are more likely to visit a link if a friend tells them to. The solution? Don't click it, or better yet, stop using those annoying Facebook Wall programs anyway. Be particularly wary of videos posted by people who don't usually send videos (at least to you).
Zlob Beginning in 2005, the Zlob Trojan has been infecting computers by convincing users they need to download a codec to view a spam or porn video. The Trojan then reroutes your Internet traffic through a hacker's server. The end result is a computer that shuts down randomly and reboots with confusing text messages. The newest variation of Zlob actually works on your Wi-Fi router by running through a list of default user name and password combos, which many users never bother to change. In addition to the usual anti-virus and trusted downloading advice, this time make sure to change your router's security settings and passwords on a regular basis. It's that easy.
Mebroot Starting around the last new year, the Mebroot virus began infiltrating computers' master boot records, the part of the hard drive that loads the operating system, by installing itself from untrusted Web sites. The virus installs keyloggers that are triggered when the infected computer is used to visit any of 900 financial sites, stealing user names and passwords any time they're typed (and thus eventually stealing your money or identity). Unfortunately, his rootkit hides from most virus protection software, but you can visit GMER to get software that scans and deletes this menace.
The Clipboard Attack A new threat that's popped up recently uses flash banner ads to take over your computer's clipboard through the Mozilla Firefox Web browser. You'll know your computer, either Mac or PC, is infected once your clipboard will only paste a link to a site that sells a bogus security program. Many people are led to the sites with the infected ads through spam e-mails purporting to come from CNN or MSNBC. It seems you can get rid of the infection by restarting your computer or killing the Firefox process, and downloading FlashBlockers for the browser can only help.
Agent.JEN Trojan This crafty file is mainly getting into computers via the UPS e-mail scam we warned you about a while ago. The Trojan comes in an attachment that purports to be an invoice for an undeliverable package, and then stealthily allows your financial data to be stolen by foreign crooks. UPS rarely sends attachments, so if you receive something suspicious, don't open it and contact customerservice@ups. com.
Penguin Panic, aka Troj/Agent-HNY Recently, an iPhone-specific Trojan has been spreading via e-mails that offer a free game for the Apple product. The virus hides in a file named "Penguin.Panic.zip," which is attached to e-mails with subject lines like "Virtual iPhone games!" and "Apple: The most popular game!" The Trojan actually infects Windows machines, allowing hackers to take control over it. So, to protect yourself, don't download any free games like this!
Gpcode Ransomware This Trojan is unique in that when it infects your computer, it encrypts your files and demands payment, usually around $100, to unlock them. Experts are still unsure how this malware is spread and how to protect against it outside of constantly backing up your files. On the bright side, the author of the code was recently identified as a Russian citizen, but authorities have yet to do anything about it.
FakeAV-AD Trojan Looking for a deal on your anti-virus software? If you're not careful, you could end up downloading a virus that'll scam you out of your hard-earned money. While there are a variety of these threats around the Web, a current prevalent one -- the FakeAV-AD Trojan -- pretends to be a free copy of Norton AntiVirus 2008. If you download it, you'll get a number of security alerts that tell you to buy the full version with your credit card. Guess what happens next? The sneakiest part about this site, though, is that it comes up as a Sponsored Link in Google if you're searching for free virus protection.
Rogue Security Applications Last month, a family of malware called Rogue Security applications comprised over 60% of computer threats. Much like the fake Norton link, the variations of this Trojan convince users to download security programs that intend to control your computer and rip you off. Most often, they're downloaded from those popup ads that say your computer is infected, leading you to download the file even if you try to close the window. There are many versions of this Trojan, some of which resist anti-virus programs, so be very careful, but for starters, make sure your browser's pop-up blocker is enabled.
Data Backup
Protect your critical data...ask how Right-Click Computer Services can help design a back up plan for your systems.