The Gumblar virus is on the warpath infecting more home computers and more websites everyday. Unlike other viruses, it is not infecting computers with the sole aim of stealing credit card details. It infects a computer with the ultimate aim of creating a global network of web servers to siphon money away from the mighty Google, or so it seems.
So what is Gumblar? Gumblar.cn was the first domain discovered that was creating and managing this attack. Gumblar.cn has now been clsed down, as has the next in line, but it is thought that the virus makers have a whole host of domains and servers to utilise. To put simply, Gumblar steals FTP passwords from web designers and site manager, then uses them to connect to website servers, and edit .html .php and .js pages. Plus add a few extras too. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors.
Once Gumblar has infect a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. Anyone browsing to an infected website can pick up the virus. It utilises vulnerabilities in Adome Flash and Adobe Reader so install itself on a pc. Patches allegedly fix thi – http://adobe.com/support/security/ and http://get.adobe.com/flashplayer/
Until a few days ago, the only anti-virus software to detect and cage the virus was Avast! (one of the free ones!). Systemic, Norton and co were clueless. You can download it here: http://avast.com/eng/download-avast-home.html
No web browser is safe either (well, Google’s Chrome may be safe) as the vulnerability is in the pdf readers and Flash software that runs in conjunction with the browsers.
So, how to fix it?
If you are not a web designer / webmaster, you probably do not know that you are infected, so you are not reading this. This bit is for the people that build the internet.
Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database – it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories. Ok, you lose you stats, this is not the end of the world though.
On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).
When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.
After this, you should be ok. However there is a problem in that many web server companies do not see it as their problem, so do not help you patch those backdoors. The best option really is to request a full account restore (once all emails etc are downloaded). If you do not want to do that, then it is a case of check for edited files. The attack I witnessed took place in two phases, om May 13th and then again on May 18th, when a majority of the damage was done. Check all files that have been edited recently, that follow a pattern, and delete anything with obscufated code in. Find and replace will not work as the code is never the same from one attack to the next. Tell your web server what you are doing, suggest that they too check files (which they will probably not do if like some I have dealt with). Ask about their virus policy and what they are doing to stop it. If there is a backup pre-dating the virus you can use, revert to this (one host had lost this!). Good luck. We can beat this virus.
Remember, update Adober Reader and Flash, install Avast and set security to high, UPDATE WINDOWS and put automatic updates on, delete FTP details, change password (accessing from a clean pc). Stamp it out.
