Custom Search
|
|
Gumblar - New Enemy
The Gumblar attack compromises Web sites through the use of stolen FTP credentials, which is one of the targets of the legendary Sinowal Trojan. The compromised sites then infect users by means of a drive-by download attack that infects via unpatched Adobe PDF and Flash Player vulnerabilities. "Drive-by-download attacks have proliferated over the past 18 months and are now one of the primary tools for distributing malware and recruiting zombies," Amichai Shulman, CTO of data security vendor Imperva, said in an e-mail to InternetNews.com. "These attacks use legitimate sites to distribute malware that is actually hosted on an attacker-controlled server." Once a PC is successfully infected, the malware attempts to redirect Google (NASDAQ: GOOG) search engine results to point to malware-laden and phishing Web sites. "As a result, there is exponential growth of these compromises -- as more victims are infected by encountering a compromised site, the number of compromised sites also increases and thus more visitors are exposed," Landesman wrote. "A user doesn't see any of this happening and ... URL filtering and blacklists won't help," Samantha Madrid, product manager of Cisco's Web security product, told InternetNews.com. "These infected sites are still legitimate and the attack catches people off-guard." "A Web site consists of 150 or 160 objects, and the attack adds just one more ingredient," Madrid said. "Its footprint is small." After the infected websites were cleaned, Gumblar started replacing the original malicious code with code with dynamically generated JavaScript, making it hard for security tools to identify it. Attackers also changed the domain to martuz.cn from the original domain which was gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresse. As ScanSafe said, both domains have been shut down. To find out if a computer is infected: 1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\); 2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file; 3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog; 4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection. A common denominator in the Gumblar malware installed on the victim PCs is that it modifies sqlsodbc.chm, a default Windows file. With antivirus detection a bit hit or miss, one good method to check for infection would be to ensure the installed sqlsodbc.chm has not been modified. Gumblar Fast heal is an effective tool to eliminate Gumblar worm. Article Directory: http://www.articledashboard.com Easy and fast solution created directly for the successful fight with Gumblar and successful Gumblar - www.securitystronghold.com/solutions/gumblar-removal-tool-download.html - removal – download Gumblar Fast Heal here. |
|