Its about a month now since some websites are being flagged in Google search results “This site may harm your computer.”
Days before the April Fool’s Day, I blogged about the chaos of the scheduled attack of the re-modified Conficker Worm that destroyed not only personal computers but including also system networks of government agencies and educational institutions around the globe. Since I don’t want my computer to be infected, I simply applied the patches downloaded from Microsoft’s website. Last Sunday, I received a security alert from ZoneAlarm® (my antivirus just for my browser security) informing me the need of some configurations on my ZoneAlarm Extreme Security. This will basically protect my system from being infected from the newly discovered malicious software that targets Internet Explorer and Google Search Engine users… I am quite lucky anyway, since I use Mozilla Firefox most of the time. But it doesn’t guarantee that the creator of this malicious code will not attack Firefox users, but so far it’s Internet Explorer– who knows?
This malicious software has been tagged as Gumblar. Gumblar having a high severity is named after the Gumblar.cn exploit. Gumblar is another multi-faceted, ninja-quiet website attack, delivering malware through compromised sites that infects a user’s PC and subsequently intercepts traffic between the user and the visited sites. This means that once infected anything the victim types could be monitored and used to commit identity theft, such as stealing credit card numbers, Web passwords or other sensitive data. Visitors encountering the compromised website also risk having their subsequent search results replaced with links that point to other malicious websites. The malware can also steal FTP credentials from the victim’s computer and use them to infect more sites, thus increasing the spread of this threat. So far, more than 3,000 websites have been attacked including Tennis.com, Variety.com and Coldwellbanker.com – Is your site included? Well you just simply search on Google and check if the link of your site on the SERP has also been flagged.
If you want to know if your system have been infected, simply follow this steps:
1. Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\.
2. Obtain the SHA1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file.
3. Compare the obtained SHA1 to the list located on the ScanSafe STAT Blog.
4. If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
Once you find yourself infected, Daniel Ansari’s Blog provides detailed steps on how to remove Gumblar. This includes a script he created to automate the removal of Gumblar. The script uses PHP expressions to remove Gumblar modifications from HTML, PHP and JS files.