MALWARE vs Adobe software / PDF reader / Flash player

[Chrisax]

This is not totally new but the threat came back and went worse. Anyhow, don't panic.

If you use Adobe Acrobat / Adobe reader for PDF files and/or Adobe Flash player, you MUST upgrade (free) to the last versions.

Malicious software on some websites can use the files you play or download and these programs to install malware on your computer. (If you use FTP accounts somewhere, this is even worse as they can get your FTP connection codes and possibly contaminate your own websites or give access to them.)

Attacks from Gumblar Rise by 190%
(15th May 2009)
Infection rates for an attack that has been slowly spreading since late
March have jumped nearly 190 percent in the last week. The attack,
called Gumblar, infects legitimate websites with malicious code causing
visitors to the site to be infected with a family of Trojans. The
attack targets known exploits in Adobe PDF and Adobe Flash files. Once
a system has been compromised, the malware will steal any FTP
credentials on the user's PC and replace the links in Google search
results, which allows the attackers to redirect the user to a site of
the attacker's choosing. Users are advised to update to the latest
versions of Adobe software.

EDIT: a clear explanation:
http://www.webologist.co.uk/2009/05/gum ... emove.html

Other sources
http://www.scmagazineus.com/Gumblar-web ... le/136836/
http://www.computerweekly.com/Articles/ ... erated.htm


As usual, it's is hard to find any specific information about such situations on Adobe's site.

The security page is here
http://www.adobe.com/support/security/index.html

Information about the concerned software is here
http://www.adobe.com/support/security/i ... #readerwin
http://www.adobe.com/support/security/index.html#flash

[Elrojo]

so how do you identify if you have the virus? Will normal scans identify it? or what is the fix?

[Chrisax]

so how do you identify if you have the virus? Will normal scans identify it? or what is the fix?

ATM, it's a bit of a mess, as most anti-virus and anti-malware software do not detect it correctly. But no reason to panic.

You'll find below an article (for what it is worth) about how to deal with the threat. There will be more information available in the future, likely. Also all security software should be updated soon.

Anyhow the FIRST thing to do is to update your Adobe Reader and Acrobat, and your Adobe Flash player to the last versions. (Months old already but most people don't have them.)

The second thing, if you have a doubt, and before all security software companies update their software is to install AVAST anti-virus free version that is able to detect gumblar.
http://www.avast.com/eng/download-avast-home.html
But at the time of writing other programs are maybe already updated (check with their publishers).

Note that people who run / manage / create websites and/or use FTP are mainly concerned.


http://www.webologist.co.uk/2009/05/gum ... emove.html
(Added this URL to the first post of this thread)

Gumblar - virus Threat to the Internet - How to Remove

The Gumblar virus is on the warpath infecting more home computers and more websites everyday. Unlike other viruses, it is not infecting computers with the sole aim of stealing credit card details. It infects a computer with the ultimate aim of creating a global network of web servers to siphon money away from the mighty Google, or so it seems.

So what is Gumblar? Gumblar.cn was the first domain discovered that was creating and managing this attack. Gumblar.cn has now been clsed down, as has the next in line, but it is thought that the virus makers have a whole host of domains and servers to utilise. To put simply, Gumblar steals FTP passwords from web designers and site manager, then uses them to connect to website servers, and edit .html .php and .js pages. Plus add a few extras too. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors.

Once Gumblar has infect a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. Anyone browsing to an infected website can pick up the virus. It utilises vulnerabilities in Adome Flash and Adobe Reader so install itself on a pc. Patches allegedly fix thi - http://www.adobe.com/support/security/ and http://get.adobe.com/flashplayer/

Until a few days ago, the only anti-virus software to detect and cage the virus was Avast! (one of the free ones!). Systemic, Norton and co were clueless. You can download it here: http://www.avast.com/eng/download-avast-home.html

No web browser is safe either (well, Google’s Chrome may be safe) as the vulnerability is in the pdf readers and Flash software that runs in conjunction with the browsers.
So, how to fix it?

If you are not a web designer / webmaster, you probably do not know that you are infected, so you are not reading this. This bit is for the people that build the internet.

Firstly, find another computer that is not infected. Go to your host’s control panel and change the password. If you are running a database driven site, change your database user passwords too. Backup your database - it is not clear at the moment if the database is at risk. Then, the safest option, is to delete everything in your public_html directory (or equivalent) plus html files in the tmp/webalizer and tmp/awstats directories. Ok, you lose you stats, this is not the end of the world though.

On your computer install Avast. Update Windows. If you struggle to get to the website, that’s the virus blocking you. Download from another pc, copy to media, then install from there. Update and run, run in safe mode, clear you temp data (CCleaner has always been handy for this) and run it again. Make sure you pc is clear. Reboot and run again (in case pesky virus hides and returns on reboot). Ah, before doing all that, disable Windows Restore and ensure all restore points are trashed (should be automatic).

When you computer is clear, you should be ok. As a precaution, delete all FTP passwords from all applications (even the ones you forgot about/tested years ago). I suggest that web masters stop saving FTP data on their pc’s completely. Better safe than very very sorry. Remember, Dreamweaver, Link Crawlers and Site Map generators, Photo Editors, Album Creaters and even some notepad tools (like PSPad) store FTP information.

After this, you should be ok. However there is a problem in that many web server companies do not see it as their problem, so do not help you patch those backdoors. The best option really is to request a full account restore (once all emails etc are downloaded). If you do not want to do that, then it is a case of check for edited files. The attack I witnessed took place in two phases, om May 13th and then again on May 18th, when a majority of the damage was done. Check all files that have been edited recently, that follow a pattern, and delete anything with obscufated code in. Find and replace will not work as the code is never the same from one attack to the next. Tell your web server what you are doing, suggest that they too check files (which they will probably not do if like some I have dealt with). Ask about their virus policy and what they are doing to stop it. If there is a backup pre-dating the virus you can use, revert to this (one host had lost this!). Good luck. We can beat this virus.

Remember, update Adober Reader and Flash, install Avast and set security to high, UPDATE WINDOWS and put automatic updates on, delete FTP details, change password (accessing from a clean pc). Stamp it out.

[Elrojo]

ok so no idea if i have the virus. I did the updates at work for adobe and then D/L Avast. When i installed it at work it restarted then did like a scan before windows launched. It said it found 2x trojan in win32 or something but that was it.

Laptop at home was a different story. I was using McAfee cos it was free w/ the laptop but it seems that i cant get it to scan. Kept giving me an error message with a number. So i uninstalled it and tried to re-install it off the CD and it installed all components except the virus scanner. So I D/L the client (since i'm registered) and when i went to install it says there is a problem with javascript so it wont run. I went to java and D/L the latest version of that, restarted and tried again. No dice. I did read that the virus may try to stop you from installing and/or running anti virus, so i'm a little worried about the issues. I think for about 2-3 weeks i kept getting a pop-up from McAfee saying that my computer was unprotected and that the virus scan, IM scan and others had been turned off. But i just thought it was windows being its usual stupid self.

So i D/L avast and it is scanning. It seems as though it just does a slow progressive scan of the HDD. Is that about right? It didnt do the scan prior to windows logging on. I did this 2 times and no scan. So i'm (with contempt) using windows defender to scan as well as having Avast scan. I havent seen any issues yet. I do have that CCleaner program they talked about that i run every 2-3 days when i've finished using the comp.

I'm so far just relying on Avast to work now i guess since i uninstalled McAfee and now it wont let me reinstall.

So whats the verdict? Scrap the computer and take to snail mail and give up AO?

[Alphacenta]

Avast > Mcafee anyway so no biggy for you there.

Chris, does this thing go up for Linux OS too like Ubuntu? I assume not but..?

[Grind42]

Thx for the headsup chris. Btw rojo is your windows instalation fully updated cause there was a security update pretty recently that killed a trojan on my PC.

[Chrisax]

1) An anti-virus or anti-spyware is as good as its last virus/spyware database is good. Period. Wonderful algorithms can't do anything if the database is outdated or incomplete. (Don't believe too much in so-called "heuristic" systems implemented in security software.) Avast was better here because it was updated first. Could have been another one as well. Avast, AVG, McAfee, to name a few work all well. Norton Security is a resource hog that may create several compatibilities issues. (If it doesn't on your comp, then you can be happy with it.) Still, it works but it's not necessarily the faster one regarding updates.

2) An anti-virus or anti-spyware NOT regularly updated is useless, and even dangerous in some situations.

3) To my knowledge (so I may be wrong), Gumblar can do its dirty work only on Windows systems. But if you have windows applications running on a Linux systems under a Windows emulator like Wine, I can't guarantee what may happen if your FTP software is a Windows one and not a Linux one. You need someone more knowledgeable than me about Gumblar.

4) Once Gumlar has reached a web site, it will be able to contaminate the users of that site, regardless of the fact the web server works with Linux (Apache server, lighthttp, etc.) or Windows web server. Simply because it uses the web features themselves.

5) Two anti-virus or anti-spyware usually can't coexist on the same computer. Not only they can't run together (sooner or later something will happen), but even if you don't launch one, the other will probably detect it and will see it as a potential threat.

6) Elrojo, not sure about your laptop. I'll reread carefully what you said. But so far, I'd say first run windows update and update everything regarding security and web in general, and all the basic programs in Windows.

[Chrisax]

Gumlar was named after the site it tried to connect to (no I won't give the URL). The site is dead.

Good news? Not exaclty: a new version of Gumlar, is now working for a site called Martuz (I won't give the URL either), and the system has been improved. Martuz was discovered a few days ago, and named recently.

Precautions for your PC are stll the same. Update Flash / Acrobat / Adobe reader and scan your PC (Avast works vs Gumlar: I just was able to verify it on an HTML email. Other antivirus will certainly be able to detect it soon, maybe they are already.)

On the other hand, for webmasters, the work is now harder as martuz hides its code better on websites. One explanation among several others:
http://blog.unmaskparasites.com/2009/05 ... r-exploit/

It seems that we are going to face a series of gumlar-like exploits.

[Elrojo]

Cheers chris.

I got rid of McAfee just because of the scan issues. Avast has been running for 8 hrs and scanned 8k files with no threats. Windows defender found nadda also, neither did the lastest windows based malware scan.

Grind... Yeah i updated windows just before i did all this crap. I also updated Adobe aaaand Adobe flash to the lastest ones from Chris's cut and paste link.

I'll just change all my P/W at work for netbanking etc today as work seems to be fine. But i do check my balances regularly of those things so nothing would really slip through for very long. Apparently small time money theft isnt the aim of Gumblar anyway. It was to take money off google by directing people to "certain websites". I'm not sure what that means but i hope i'm safe here in little Aussie. They said only like 2300 sites were infected. I really only use this webpage, ao-universe, auno and my emails so hopefully of the BILLIONS of other sites that it could effect it hit those rather than the few that i use!

Oh windows keeps telling me Avast is out of date, even though when i click update it tells me its the latest update. So lucky me gets a pop-up every 5 mins telling my computer is at risk. Thanks Windows!

[Chrisax]

Oh windows keeps telling me Avast is out of date, even though when i click update it tells me its the latest update. So lucky me gets a pop-up every 5 mins telling my computer is at risk. Thanks Windows!

The red pop-up from Avast? Screenshot please?

Avast has been running for 8 hrs and scanned 8k files with no threats.

This is not at all a normal time for a scan of 8K files. What were your scan options? Default ones?

I just checked, with "standard" scan, it took less than 4 minutes to scan like 8K files, on a relatively old Athlon 3200+ with 1 GB RAM and an Hitachi/IBM SATA2 HD.

Edit: 89958 files / 5298 folders / 14.4 GB total (just my main programs folder... sigh)
Time spent scanning in Standard Mode: 21 minutes


Maybe try the following too: turn windows security off before running Avast (a clean install ofc) but disconnect your computer from the Internet before turning Windows firewall off, of course!

[Elrojo]

looked at windows this morning and now it trusts that avast is the latest update!

With regards to avast scanning. On 2 of the computers i installed it on at work after restart it ran a pre-windows full check which took about 15-25mins. But after that it just seems to click over. The first one i installed has been running for about 36hours and it has checked 24K files. IT just seems to scan and scan and scan. The laptop at home didnt run the bot-up scan but is just scanning files. There is no control panel or setting as far as i can see to say "run full scan" or "schedule". I D/L the home version, if that helps.

[Chrisax]

Elrojo, in the system tray, look for the Avast icon, r-click it and you'll see the menu. You can start scans and set them, and you also have Program Settings. Do you have that?

Something is totally wrong on your systems. In the end you might kill your hard drive. "36hours and it has checked 24K files" means something is interfering with Avast, or something is corrupted. Can't say. Please have first a look at the menu.

[Elrojo]

i have the program settings. Not sure where you start a scan though. I have a few menu's like... common, Appearance, chest, confirmations etc. But nothing that says "start scan" or scan now or schedule scan.

From what it looks like i just let it run in the back ground and it does its little real time scanning. I dont mean that i said "scan now" and then it took 36 hours. I just mean the number ticks over. ATM the last file is scanned was for Athens Paladins.

On a side note WMP 11 is now not working. I click on it and nothing opens. I click on a movie and say "open with WMP" and nothing happens.... Any ideas?

[Chrisax]

Not sure how your avast is installed or what is happening. Here are the menus though:

R click Icon in system tray

If you click on the Star Avast! Antivirus line you get this

From inside the Window just above or from inside the systemtray menu, you can access Programs Settings

Do you have that? Please say. Because you confuse me.


About Windows Media Player, looks like something is corrupted. Probably in the actions attached to a kind of file. It can be edited through Windows tools but it's a bit complicated if you're not used to that job. (In File explorer, Options, Files (or folders) otopns, Files Types, then Advanced options for each file type concerned. You'd better reinstall WMP.

Or get VLC media player free. http://www.videolan.org/

[Elrojo]

yes i have those menu's!! I worked it out last night. It scanned 100K files in about 30 mins. Not sure about WMP, i do have VLC player and WinAmp. I just liked WMP as i was used to it and had all my stuff organised in it. I also have iTunes but i dont like it as much.

It didnt find any viruses in the scan btw