Gumblar – virus Threat to the Internet – How to Remove

The Gumblar virus is on the warpath infecting more home computers and more websites everyday. Unlike other viruses, it is not infecting computers with the sole aim of stealing credit card details. It infects a computer with the ultimate aim of creating a global network of web servers to siphon money away from the mighty Google, or so it seems.

So what is Gumblar? Gumblar.cn was the first domain discovered that was creating and managing this attack. Gumblar.cn has now been clsed down, as has the next in line, but it is thought that the virus makers have a whole host of domains and servers to utilise. To put simply, Gumblar steals FTP passwords from web designers and site manager, then uses them to connect to website servers, and edit .html .php and .js pages. Plus add a few extras too. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors.

Once Gumblar has infect a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. Anyone browsing to an infected website can pick up the virus. It utilises vulnerabilities in Adome Flash and Adobe Reader so install itself on a pc. Patches allegedly fix thi – http://www.adobe.com/support/security/ and http://get.adobe.com/flashplayer/

Until a few days ago, the only anti-virus software to detect and cage the virus was Avast! (one of the free ones!). Systemic, Norton and co were clueless. You can download it here: http://www.avast.com/eng/download-avast-home.html

No web browser is safe either (well, Google’s Chrome may be safe) as the vulnerability is in the pdf readers and Flash software that runs in conjunction with the browsers.

So, how to fix it?

If you are not a web designer / webmaster, you probably do not know that you are infected, so you are not reading this. This bit is for the people that build the internet.

Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database – it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories. Ok, you lose you stats, this is not the end of the world though.

On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).

When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.

After this, you should be ok. However there is a problem in that many web server companies do not see it as their problem, so do not help you patch those backdoors. The best option really is to request a full account restore (once all emails etc are downloaded). If you do not want to do that, then it is a case of check for edited files. The attack I witnessed took place in two phases, om May 13th and then again on May 18th, when a majority of the damage was done. Check all files that have been edited recently, that follow a pattern, and delete anything with obscufated code in. Find and replace will not work as the code is never the same from one attack to the next. Tell your web server what you are doing, suggest that they too check files (which they will probably not do if like some I have dealt with). Ask about their virus policy and what they are doing to stop it. If there is a backup pre-dating the virus you can use, revert to this (one host had lost this!). Good luck. We can beat this virus.

Remember, update Adober Reader and Flash, install Avast and set security to high, UPDATE WINDOWS and put automatic updates on, delete FTP details, change password (accessing from a clean pc). Stamp it out.

  14 comments for “Gumblar – virus Threat to the Internet – How to Remove

  1. Server Security Analyst for a .com
    May 22, 2009 at 9:30 pm

    This attack, like any virus attack, works because people adopt unsafe practices such as using the same PC for web development / business as home use, storing passwords without any thought of who may gain access to them, running old AV software, out of date OS installations, no firewalls, old browser software etc. etc.

    Some suggestions to avoid getting infected with a trojan of any kind (not just gumblar):

    1. Use a proper OS rather than Windows – OSX, Linux (Ubuntu is v. windows friendly)
    2. Manage websites through a dedicated VM (and, have a dedicated VM for ebanking)
    3. Turn on auto-update on all software
    4. Subscribe to email updates for software to ensure you have the latest patch installed
    5. Turn on auto-updates for Windows
    6. Make regular remote backups

    Any one of the first three would have prevented a user being infected, the fourth would have made recovering from the attack trivial. Most PC users fail to take responsibility for their own machines, and end up spending far more time trying to eradicate viruses, trojans, spyware etc. than they would ever have to spend on actually making the PC secure in the first place.

    Saying that, I still wonder why so many people continue to use Windows. Apart from some good games, you can do everything on Linux for free. And it is safer. For those that really want to continue to use a Windows operating system, as long as any Windows machines are running in a VM within Ubuntu, you can keep them pretty safe, even if they are not up to date with the latest security patches.

  2. Webologist
    May 22, 2009 at 9:50 pm

    You seem to know your stuff. This all makes sense. I think that we shall review some of these suggestions, especially remote backups and virtual machines.

    Readers may want an explanation on running VM in Linux/Ubuntu …. if you could give us some pointers, that would be greatly appreciated.

  3. Webologist
    May 23, 2009 at 7:48 pm

    We should point out that this virus is now often referred to as martuz.cn although I think that this domain has also not been closed down. The virus is spreading, the creators are being hounded and closed, but at the moment there is still no end in site, due to the huge numbers of people with unsecured Windows computers.

  4. Webologist
    May 27, 2009 at 8:18 pm

    More useful information on Gumblar:

    “In Gumblar, hackers only wanted to load the script on Windows machines with version of Windows prior Vista (NT 6). In Martuz, they added a new check and no longer load the external script in a Google Chrome browser. I guess hackers read multiple forums and noticed that many webmasters used Google Chrome to detect the malicious code (Chrome detects calls to blacklisted sites and warns users). Now, if a webmaster loads an infected web sites in Chrome, there will be no warning since the external code won’t load. And the webmaster may mistakenly think that the site is clean and no additional removal action is required.

    Don’t count on Google Chrome (and Safari) warnings. As you can see, hackers can make their code unnoticeable. And they can use new domain names every day, so that even if Chrome detects calls to the new malicious sites, it won’t warn you since those site are not blacklisted yet.

    Make sure to check the source code of web pages. Or check web pages with my Unmask Parasites – it detects suspicious scripts without executing them.” Source: Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

  5. Webologist
    May 27, 2009 at 8:25 pm

    UnmaskParasites.com provide an online tool to check if your site (well, any site in fact) has Gumblar (and maybe another .js .php .html page infected virus. This is their response to the fact that thousands of web site owners are unaware that their sites are hacked and infected with parasites.

  6. Webologist
    May 29, 2009 at 12:13 am

    OK, last night I installed Ubuntu onto my old XP machine, wiping the old XP installation. Took a while to install, as my disk is now 2 releases out of date, so upgraded to latest Ubuntu, 9.04 Jaunty Jackalope. Then installed VirtualBox OSE using the Synaptic Package Manager. Had to use command line once for “sudo adduser me vboxusers”. Then fired up VirtualBox, set up a new VM (virtual machine) and installed XP from disc. Now have a working XP within a Linux distro.

    How bleedin’ secure is that eh?

    So far only used IE, and it works a treat. Feel tempted to seek out dodgy sites to see what happens. Must be a list of sites with trojans/viruses on that I can test the system with.

    The only reason I have XP running is for IE6 which seems to always screw up my CSS floats. And so many people still use IE6. When Google control all computers, and everyone uses Chrome, then life will be easier. Until then, VM’s are the way to go.

    I will write a dedicate post for this at some point….

  7. Murphy %9
    June 30, 2009 at 5:52 pm

    Super-Duper site! I am loving it!! Will come back again, Thanks.

  8. Mike
    November 4, 2009 at 5:12 pm

    Is Mac OSX vulnerable?

  9. Webologist
    November 4, 2009 at 5:25 pm

    Hi Mike, I am not familiar with Macs at all, and admit I have not been following this virus for some time now. There does appear to be a vulnerbility on Macs though:

    “So it appears Gumblar was downloaded on a Mac of ours. It doesn’t appear to show any adverse affects. But when we started using that machine to access webservers, Gumblar got into these remote servers and infected multiple websites. Affected sites apparently crashed user’s computers (only HP products for some reason) and they had to have them revived by service techs. Which I’m paying for. I need to make a report about our situation. Any feedback on how this Gumblar can get from a Mac to a remote server yet not be evident on the host Mac?” http://news.cnet.com/8301-1009_3-10244529-83.html

    Not a solid source on information as it is just a forum post on Cnet.com. But there could well be a risk. Using Firefox and having all your software up to date is still the best security measure though – this applies to all operating systems not just Windows.

    Plus the most important security measure – never allow software to store FTP logins and passwords – not even text editors, but especially Dreamweaver etc. It is a lot safer to have the password on a bit of paper stuck on your wall than somewhere on your computer.

  10. December 1, 2009 at 4:19 pm

    Use Google Webmaster Tools to keep an eye out for anything suspicious on your websites. Google alerts can also be set for the specific website. i.e. “site:yoursite.com viagra” will set an alert if your site is hacked by the usually jerks. Once corrected submit a sitemap to Google to re-index the pages.

  11. Dan
    January 11, 2010 at 2:42 pm

    It is a shame that people still propagate the myth that other operating systems are immune to viruses. As they become more popular they are being increasingly targeted and they have the same holes as any other OS I’m afriad. But this insistance that Macs are safe leaves people even more vulnerable to eg phishing scams etc as I find they are less aware.

    People use Windows because consumer software and hardware is geared towards the MS world. Life is too short for Linux.

    Keep your OS up to date and be careful what sites you visit.

  12. Marie
    March 31, 2010 at 11:30 am

    Hello there, I have a problem and I want to explain what is it.

    I use Opera because Internet Explorer brought me a virus. I downloaded Google Chrome, and a few many hours ago, it said that I have a threat and that I’m not connected to the Internet. The same happens when I open a program that I downloaded.

    Sincerelly,
    Marie

  13. Webologist
    March 31, 2010 at 11:41 am

    What did you download? Maybe try to uninstall and delete that, then run av (avast is a good choice) and hope that clears it up.

  14. Mel
    June 5, 2010 at 1:26 pm

    Thank you for the very thorough explanation. I have been googling this subject for about four hours, and yours is far and away the clearest for a simpleton like me to understand. AVG is blocking access to my own sites, and my webhost says Gumblar, so I am on the hunt for a solution. Thanks for the detail.

Leave a Reply

Your email address will not be published. Required fields are marked *