Over the past month, the security services ScanSafe and Sophos have reported infections on such major Web sites as ColdwellBanker.com, Variety.com, and Tennis.com. Niels Provos reported in the Google security blog on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer.
After the script infects a PC, it attempts to spread its code to any Web site accessible via that machine's FTP client, if one is present. Webmasters often use FTP to make changes to the sites they manage. If FTP software is configured to save a webmaster's sign-in information, the malware can edit itself into a Web site's pages.
Once a PC is running this class of malware, the hacker code tries to trick the user into opening infected PDF and Flash files. If the PC has an unpatched version of Adobe Reader, Acrobat, or Flash, opening an infected file can install a keylogger or other malware. In the case of Gumblar, Google search results in an Internet Explorer window are rewritten in a way that end users may not notice so the links point to hacker sites laden with infected PDF and Flash.
Security firms have made efforts to block domains that serve as malware destinations in this latest round of attacks. But the bad guys quickly move to substitute other domains in what has been compared to a game of Whack-a-Mole.
Meanwhile, it's not so easy to shut down a well-known, legitimate site that's infected (although many such sites have quickly been cleaned up). You can't protect yourself simply by visiting only "trusted" sites, because there's no easy way for an end user to determine whether a legitimate site is infected.
Fortunately, you can stack the odds in your favor by following the guidelines in the Windows Secrets Security Baseline:
On May 27, the Microsoft Malware Protection Center blog reported that a malware family Microsoft refers to as Gamburl and Redir was infecting legitimate Web sites by embedding malicious scripts in the sites' HTML code. A system running Windows XP could become infected simply by opening a seemingly trustworthy site. (Gumblar, also called JSRedir-R and Martuz, doesn't affect Vista PCs, according to the Unmask Parasites blog.)
Once an XP machine is infected, passwords for FTP sites are retrieved and placed into a file called sqlsodbc.chm. This file is a legitimate SQL help file in Windows XP and 2000, but it's not used on Vista machines.
To determine whether Gumblar has struck your PC, test sqlsodbc.chm, which is located in XP's C:\Windows\System32 folder:
Home and small-business users can run a free update checker such as Shavlik Patch, which you can download from the vendor's site. (Note that the program requires the free Google Desktop, which is available on Google's site.) A complete review of Shavlik Patch and several competing update programs is in my May 28 top story.
For business networks, I recommend Shavlik's NetChk Protect. I use this utility which costs from U.S. $104 for two seats to patch my own firm's network. You can find information about NetChk Protect on Shavlik's site.
For an added measure of protection, configure your PC to use the OpenDNS service, which lets you block categories of sites that you don't visit. You'll find complete instructions for making the required changes to your router on the OpenDNS tutorial page.
To make OpenDNS your DNS server, you can run your router's advanced settings program and manually set its DNS options to 18.104.22.168 and 22.214.171.124. (See Figure 2.)
Figure 2. Make OpenDNS your primary and secondary DNS server in your router's DNS settings to block potentially dangerous sites.
It's theoretically possible to manually enter in the OpenDNS settings page the URLs of sites you want to block. But trying to keep up with the latest list of Gumblar sites is nearly impossible. ScanSafe's STAT Blog indicates that the rate of Gumblar infection is slowing. But new infected domains all of which use China's .cn top-level domain are popping up as fast as others are being shut down.
Boost XP's defenses against Gumblar-like attacks
If you feel your XP system needs more protection for example, you own a PC used by unsupervised teenagers consider creating user accounts that lack administrator privileges. Granted, XP's limited accounts are often a pain to use because they restrict downloads, settings changes, and other common actions. An article on Microsoft's site explains limited user accounts and describes how to set them up.
Fortunately, the type of limited accounts in the forthcoming Windows 7 will be much easier to use. This is because the most common applications will run properly under Win7 without administrator rights. Steve Friedl's Unixwiz.net site includes a Tech Tip that describes Windows 7's enhanced User Account Control.
Gumblar definitely makes Web surfing with Internet Explorer more hazardous. If your PC is infected, merely searching in Google for seemingly innocent topics can lead you to a site you never intended to visit.
Google's Niels Provos recommends in his Top 10 Malware Sites blog that people use Firefox, Chrome, or another browser that taps into Google's Safe Browsing API. The API blocks Web destinations on Google's list of potentially dangerous sites, which the company claims to update continuously.
Here are some additional ways you can protect yourself:
|Response Title||Author and Date|
|Please just post the links to full articles in the future.||on Jun 13|