Archvile
Register | User Profile | Member List | F.A.Q | Privacy Policy | New Blog | Search Forums | Forums Home
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Misc. > Everything Else > New variant of Gumblar virus
Pages (2): [1] 2 »  
Author
All times are GMT. The time now is 15:28. Post New Thread    Post A Reply
Csonicgo
This post is probably useless


Posts: 3823
Registered: 03-04
I'm 100% serious on this, There's a new gumblar variant attacking google software through Google Chrome... that was just patched today. Be sure to update it if you use it.

the payload is absolutely ridiculous.

Major name-brand Anti-virus programs are not detecting it, Mbam cannot detect it, TeaTimer cannot detect it. It modifies the kernel at runtime, installs a botnet and turns Google updater into a mass downloader. It's got every failsafe in the book. not even safemode or Repair mode will resolve it. only reformatting and installing seems to be the most effective solution at this point. This exploit could affect both Linux and Windows versions, but targets Windows at this time.

Like I said, There is a patch available, but it doesn't repair the damage. I don't think it's possible to kill this one with traditional methods, since it does some voodoo with the kernel to ensure the machine remains compromised. It infected my Eee PC last night somehow through a link on facebook. I shall never use facebook again.

Microsoft is the only ones who can fix this one. I predict it will most likely take the form of a CD-ROM iso to burn or a bootable USB Key creation setup program. Since the rootkit deletes all System restore points, this seems to me like the best possible way they could ensure the infection is eliminated.
Old Post 06-23-09 22:37 #
Csonicgo is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
myk
webbed digits


Posts: 14316
Registered: 04-02
Csonicgo said:
Microsoft is the only ones who can fix this one.
I remember that, back when I worked as a technical support agent for MSN, a high level technician suggested that, based on the IPs it originated from, the Blaster worm exploit came from Microsoft itself because hitting the customers was the only reliable way to address vulnerabilities in a way that could get ahead of third party attackers. Maybe this one was made by Microsoft, too, but for other reasons :p
Old Post 06-23-09 22:45 #
myk is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Csonicgo
This post is probably useless


Posts: 3823
Registered: 03-04
This one seems to be from China, again.
Here's the parasites blog from the first wave:

And the entry about the second wave...


And one on thelatest attacks. It's got a brand-new bag.

they're all related, which means that perhaps the attackers are learning from their previous mistakes...

Last edited by Csonicgo on 06-23-09 at 22:59
Old Post 06-23-09 22:53 #
Csonicgo is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
myk
webbed digits


Posts: 14316
Registered: 04-02
Well, this seems to hint it's of Russian origin.
Old Post 06-23-09 23:00 #
myk is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Scet
Member


Posts: 451
Registered: 05-06
Csonicgo said:
modifies the kernel at runtime


I'm no expert on OS design, but wouldn't limiting access to the kernel be a good idea?
Old Post 06-23-09 23:01 #
Scet is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Maes
I like big butts!


Posts: 7951
Registered: 07-06
Scet said:
I'm no expert on OS design, but wouldn't limiting access to the kernel be a good idea?


They apparently realized that after MS-DOS. It also seems strange to me that it can modify the kernel, but then again, I can't imagine what could the kernel do to stop a direct disk access writing certain things exactly where a certain .dll file lies...
Old Post 06-23-09 23:02 #
Maes is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Csonicgo
This post is probably useless


Posts: 3823
Registered: 03-04
That's the scary part. In all my years as a Mr. FixIt for everything from win95 to winNT, I have NEVER seen a virus like this from a drive-by download. Usually something this malicious would have to be willingly executed by the user. No more, apparently. Shit. Whoever programmed this thing is no mere Script kiddie. They know 0-day exploits.


EDIT : I have just been informed that this latest wave was a specific revenge attack. They were attacking the University Dr.Gary Warner (the guy who investigated the worm and found out where it was coming from and how it operated) taught at and compromised that University's webservers. The problem? He is a professor at the university I am enrolled in. He's MY PROFESSOR.


...I feel sick.

Last edited by Csonicgo on 06-24-09 at 00:14
Old Post 06-24-09 00:05 #
Csonicgo is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Mr. Chris
The term is "prehensile"


Posts: 3519
Registered: 07-02
Why would Microsoft have to deal with it if the browser affected is by Google?
Old Post 06-24-09 00:32 #
Mr. Chris is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
yukib1t
Will DDR for food


Posts: 2085
Registered: 06-02
Csonicgo said:
This exploit could affect both Linux and Windows versions, but targets Windows at this time.
Out of curiosity, what's the attack vector for Linux? Through a browser and Google Updater still? You mention that it modifies the kernel during runtime. I have a hard time believing it'll modify the Linux kernel while it's running if you run your system properly (ie, not as root). Not saying I don't believe it at all, just that it's harder for me to believe.
Old Post 06-24-09 00:55 #
yukib1t is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Maes
I like big butts!


Posts: 7951
Registered: 07-06
The kernel claim sounds more like a misunderstanding. The virus' vector is Javascript injection and XSS attacks (pretty common) which lead/combine to a drive-by download (pretty common too, on IE at least). The "novelty" lies in that it downloads more smart executable code that allows it to fuck up webpages directly on servers, by using FTP passwords and modifying HTML files on-the-spot.

Probably it doesn't fuck up the "kernel" anymore than any other viruses do (some random dll will probably pop up somewhere and hide as a rootkit). If it does...well...that's a pretty bad thing to have a fucked up kernel.dll :-/

Although I suppose you can overwrite it with a good known copy if you use a bootable CD without deleting everything, assuming you remove any other infection mechanisms too (usually registry and startup).

Since Javascript works on any OS, it could infect Linux too if they have a suitable executable infector.
Old Post 06-24-09 01:09 #
Maes is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Csonicgo
This post is probably useless


Posts: 3823
Registered: 03-04
yeah, when I meant exploit, I meant the entire system. that includes the rootkits.

Edit: about replacing the kernel, the rootkit hides its binary code as miscellaneous values in the registry and hides the "reconstruction code" somehow as a run.. as far as I can tell. the only way to really kill it is to back up the registry every so often and apply the backups.

Why the registry isn't backed up by windows itself every so often is odd to me.
Old Post 06-24-09 01:56 #
Csonicgo is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Maes
I like big butts!


Posts: 7951
Registered: 07-06
Csonicgo said:
Why the registry isn't backed up by windows itself every so often is odd to me.


Well, it actually is....by system restore points, which are promptly deleted and disabled by any decently-written virus ;-)

If you keep a recent full-file backup of the registry however (using a boot CD, not that lame-ass shitty registry export while windows is still running), and you can restore all system files from untouched copies (again, a boot CD and a file-by-file copy of the windows directory should work), I see no reason why you couldn't restore your system without reformatting.

Actually, a file-by-file copy of the c:\windows directory includes the registry (it's in system32\config, so you are set), but it's a pretty uncommon backup to perform, that's why it's not recommended as a sure-fire mass-remedy.

The only shitty thing could be if the virtual memory and the boot code (NTDETECT.COM etc.) are fucked up, including the HDs boot sector...but even those can be manually restored from "good" copies, and the virtual memory can be flushed. Hmm...I think I'm going to make a full-file backup of that shit tomorrow morning.
Old Post 06-24-09 02:07 #
Maes is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
GreyGhost
a ghost... only grey


Posts: 5186
Registered: 01-08
While NoScript provides some protection against this sort of shit, I'm backing-up my C: partition ASAP.

Mr. Chris said:
Why would Microsoft have to deal with it if the browser affected is by Google?
The new variant that attacks through Google Chrome is probably payback for Google blacklisting the originating website. In any case, why shouldn't Microsoft get involved - it's their OS that's under attack.
Old Post 06-24-09 07:06 #
GreyGhost is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
DJ_Haruko said:
Out of curiosity, what's the attack vector for Linux? Through a browser and Google Updater still? You mention that it modifies the kernel during runtime. I have a hard time believing it'll modify the Linux kernel while it's running if you run your system properly (ie, not as root). Not saying I don't believe it at all, just that it's harder for me to believe.
There is no Linux version. What you say is correct.

Presumably the kernel-modifying shenanigans don't work on Windows either if you're running as an unprivileged user.

EDIT: Apparently, it infects machines through a vulnerability in Acrobat Reader. Disable "Acrobat Javascript" and you're safe (who on earth wants that anyway?)
Old Post 06-24-09 16:13 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
GreyGhost
a ghost... only grey


Posts: 5186
Registered: 01-08
So long as they haven't found a similar vulnerability in Foxit Reader. <disables Javascript support>

EDIT - FileZilla saves passwords as plain text. SHIIIIIIT!!

Last edited by GreyGhost on 06-24-09 at 16:56
Old Post 06-24-09 16:37 #
GreyGhost is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
GreyGhost said:
EDIT - FileZilla saves passwords as plain text. SHIIIIIIT!!
Anything that "saves passwords" is inherently insecure in the same way - even if you obfuscate the passwords on disk, it adds no security, because you have to be able to decrypt them again without entering a password.

In fact, Filezilla does the correct thing by storing them in plain text. To obfuscate them in an encrypted-but-insecure format would add a false sense of security. At least it's honest and doesn't mislead you.

The exception to this is "keyring" systems that store multiple passwords encrypted, requiring you to enter a single password to unlock the keyring. Gnome and Mac OS X both have these.
Old Post 06-24-09 17:44 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Csonicgo
This post is probably useless


Posts: 3823
Registered: 03-04
fraggle said:
Disable "Acrobat Javascript" and you're safe (who on earth wants that anyway?)


A better question to ask is "Why on Earth is that in Acrobat in the first place?".

fraggle said:
Presumably the kernel-modifying shenanigans don't work on Windows either if you're running as an unprivileged user.


You hit the nail on the head, and the reason why it got in in the first place is a) WinXP is Administrator account by default and (b) there is no obvious way to run a program with admin privileges using the unprivileged user's settings, due to stupid things like power profiles being admin-only operations. Of course it's possible now, but it's so deep into the OS that most users won't even see it, or know how to use it. This is retarded default behavior.

Last edited by Csonicgo on 06-24-09 at 18:10
Old Post 06-24-09 17:53 #
Csonicgo is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
yukib1t
Will DDR for food


Posts: 2085
Registered: 06-02
fraggle said:
Anything that "saves passwords" is inherently insecure in the same way - even if you obfuscate the passwords on disk, it adds no security, because you have to be able to decrypt them again without entering a password.

In fact, Filezilla does the correct thing by storing them in plain text. To obfuscate them in an encrypted-but-insecure format would add a false sense of security. At least it's honest and doesn't mislead you.

The exception to this is "keyring" systems that store multiple passwords encrypted, requiring you to enter a single password to unlock the keyring. Gnome and Mac OS X both have these.
To play a bit of a devil's advocate...

I think one thing to keep in mind is that saving them unencrypted on the disk opens up a hole: what if your computer is on, is not locked by a screensaver or something, and someone accesses those while you aren't there? Or you have the file open, looking at something else in the same file as your password (a totally plausible situation), and someone peeks over your shoulder? They're totally plausible situations. Encrypting them at least makes it so that they aren't human readable when they shouldn't be, and encrypting them with strong encryption at least makes them pretty secure against rainbow tables or other attacks. Any reasonable software should use secure memory when decrypting the password as well.

Plain text for passwords isn't bad, and sometimes the convenience outweighs the cons; it just has its own holes you have to deal with.

EDIT: I think it also depends on the purpose of the software. Fetchmail and Filezilla would connect to other services, so if the attacker's goal is to connect as you, then yes, encryption is useless.

Last edited by yukib1t on 06-24-09 at 18:28
Old Post 06-24-09 18:20 #
yukib1t is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
DJ_Haruko said:
To play a bit of a devil's advocate...

I think one thing to keep in mind is that saving them unencrypted on the disk opens up a hole: what if your computer is on, is not locked by a screensaver or something, and someone accesses those while you aren't there? Or you have the file open, looking at something else in the same file as your password (a totally plausible situation), and someone peeks over your shoulder? They're totally plausible situations.

Except it still doesn't really add any proper security. If you forgot to lock your screen, instead of opening the password file, they could be copying it to their own machine or onto a flash drive for later decryption. The looking-over-your-shoulder thing doesn't really seem *that* likely; what would you be looking at in the same file as your password file? I guess it's the most plausible situation in which it would help, but you could always have a scenario where the guy looking over your shoulder has a photographic memory :-)

Encrypting them at least makes it so that they aren't human readable when they shouldn't be, and encrypting them with strong encryption at least makes them pretty secure against rainbow tables or other attacks. Any reasonable software should use secure memory when decrypting the password as well.
Nope, that's the point - it makes zero difference whether you're using plain text, ROT13, or AES256. There is no difference at all what encryption you use, because the insecurity is inherent in the design. The FTP client has to be able to decrypt the "encrypted" file, without prompting for a password (which would defeat the point). Therefore, it is always possible to write a program to do exactly the same thing and display the plain text password.

In the end it comes down to the fact that obfuscating passwords like this does nothing to protect them, but gives a false sense of security to the users, who might open the password file, and feel like they have some protection, when in fact they don't. Using plain text passwords is at least honest - "make sure you secure this file, because look, your passwords are right here".
Old Post 06-24-09 23:40 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Creaphis
I will deliberately take a contrary position just for the sake of writing incredibly long arguments


Posts: 3953
Registered: 10-05
I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.
Old Post 06-25-09 00:48 #
Creaphis is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Kirby
Senior Member


Posts: 1203
Registered: 10-04
Creaphis said:
I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.
He lies to you :O

In any case, I'm still using IE 8 IE 7 and I have most secondary options disabled lest I come across a situation where I should need them. This looks like one nasty bugger, but I'm not gonna worry since it's only going thru Google Chrome.

I should probably warn the people I know who DO use it though....

Csonicgo said:
You hit the nail on the head, and the reason why it got in in the first place is a) WinXP is Administrator account by default and (b) there is no obvious way to run a program with admin privileges using the unprivileged user's settings, due to stupid things like power profiles being admin-only operations. Of course it's possible now, but it's so deep into the OS that most users won't even see it, or know how to use it. This is retarded default behavior.


Sadly most people do run on their administrator accounts. I used to until I learned that you can limit the damage a virus does by using a limited account that doesn't have admin priveleges. However many people currently using Windows know that? Probably not a lot.

Last edited by Kirby on 06-25-09 at 01:11
Old Post 06-25-09 01:01 #
Kirby is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
Creaphis said:
I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.
It's Javascript in PDF files that's the issue. Presumably, Adobe Reader has a built-in Javascript interpreter that hasn't had the same kind of exposure that the normal in-browser Javascript interpreters have had to the thousands of script kiddies out there looking for holes to exploit.

The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses. It's just something Adobe tacked onto their product so that they can say their product has new features. A classic example of how simple things are easy to secure, complicated things are difficult to secure.
Old Post 06-25-09 02:01 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Zaldron
Sex Cauldron


Posts: 9916
Registered: 08-00
fraggle said:
The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses

Indeed, it's there since version 3. That was a surprising realization.
Old Post 06-25-09 02:36 #
Zaldron is offline Profile || Blog || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Prince of Darkness
Member


Posts: 301
Registered: 12-07
If I'm not using Google Chrome, would I be alright?
Old Post 06-25-09 07:58 #
Prince of Darkness is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
Prince of Darkness said:
If I'm not using Google Chrome, would I be alright?
No. If you're not using Adobe Reader, or you disable Javascript in PDF files, you're safe.
Old Post 06-25-09 09:28 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
David_Dweedle
Loser


Posts: 318
Registered: 06-09
Firefox FTW.

But in all seriousness.. Why do people use other Browsers... Firefox is 99% Safest Browser.. glad I installed firefox onto my dads laptop.. he used google one..
Old Post 06-25-09 09:38 #
David_Dweedle is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Snarboo
Forum Staple


Posts: 2068
Registered: 09-04
If you read the thread, you'd realize the exploit is caused by Acrobat loading a corrupted PDF file with javascript, meaning Firefox isn't any safer than Google Chrome or IE.
Old Post 06-25-09 10:25 #
Snarboo is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
fraggle
Super Moderator


Posts: 5904
Registered: 07-00
David_Dweedle said:
Firefox FTW.

But in all seriousness.. Why do people use other Browsers... Firefox is 99% Safest Browser.. glad I installed firefox onto my dads laptop.. he used google one..
Remind me again why you were unlosered?
Old Post 06-25-09 12:15 #
fraggle is online now Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Planky
Senior Member


Posts: 1108
Registered: 12-02
fraggle said:
The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses. It's just something Adobe tacked onto their product so that they can say their product has new features. A classic example of how simple things are easy to secure, complicated things are difficult to secure.


Not quite. We had an upcoming change to disable javascript in a government department due to the virus. As soon as the various branches heard about it, they got it canned as they used the feature extensively.
Old Post 06-25-09 12:32 #
Planky is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
myk
webbed digits


Posts: 14316
Registered: 04-02
fraggle said:
No. If you're not using Adobe Reader, or you disable Javascript in PDF files, you're safe.
Funny thing is, on this system of mine, the latest Reader that works is 4.0, and the feature to disable the program's JavaScript was introduced in 6.0.

Still, I'm not sure if Firefox can open a PDF without the "what do you want to do with this file?" dialog. If it can't, I'm not too concerned about the vulnerability.
Old Post 06-25-09 13:34 #
myk is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
All times are GMT. The time now is 15:28. Post New Thread    Post A Reply
Pages (2): [1] 2 »  
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Misc. > Everything Else > New variant of Gumblar virus

Show Printable Version | Email this Page | Subscribe to this Thread

 

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are OFF
[IMG] code is ON
 

< Contact Us - Doomworld >

Powered by: vBulletin Version 2.2.5
Copyright ©2000, 2001, Jelsoft Enterprises Limited.

Forums Directory