6 Jun 2009

Gumblar Still At Large...

What is it?
is another multi-faceted, ninja-quiet website attack.
Gumblar is named after the Gumblar.cn exploit, which so far targets users of Internet Explorer and Google search, delivering malware through compromised sites that infects a user's PC and subsequently intercepts traffic between the user and the visited sites. This means that once infected, anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, Web passwords or other sensitive data. Visitors encountering the compromised website also risk having their subsequent search results replaced with links that point to other malicious websites. The malware can also steal FTP credentials from the victim's computer and use them to infect more sites, thus increasing the spread of this threat. So far, more than 3,000 websites have been attacked including Tennis.com, Variety.com and Coldwellbanker.com.

Who is at risk?
Users of Internet Explorer and Google's search engine.

How do I know if I've been infected?
(as reported by Elinor Mills with data from ScanSafe):-

1. Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\).
2. Obtain the SHA1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file.
3. Compare the obtained SHA1 to the list located on the ScanSafe STAT Blog.
4. If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

More info about Gumblar


Daisy said...

Yeah, that's why I never use IE!

Unknown said...


Post a comment

Thanks for commenting... ;)

What Say You? © 2005 - 2016.