Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Csonicgo

New variant of Gumblar virus

Recommended Posts

I'm 100% serious on this, There's a new gumblar variant attacking google software through Google Chrome... that was just patched today. Be sure to update it if you use it.

the payload is absolutely ridiculous.

Major name-brand Anti-virus programs are not detecting it, Mbam cannot detect it, TeaTimer cannot detect it. It modifies the kernel at runtime, installs a botnet and turns Google updater into a mass downloader. It's got every failsafe in the book. not even safemode or Repair mode will resolve it. only reformatting and installing seems to be the most effective solution at this point. This exploit could affect both Linux and Windows versions, but targets Windows at this time.

Like I said, There is a patch available, but it doesn't repair the damage. I don't think it's possible to kill this one with traditional methods, since it does some voodoo with the kernel to ensure the machine remains compromised. It infected my Eee PC last night somehow through a link on facebook. I shall never use facebook again.

Microsoft is the only ones who can fix this one. I predict it will most likely take the form of a CD-ROM iso to burn or a bootable USB Key creation setup program. Since the rootkit deletes all System restore points, this seems to me like the best possible way they could ensure the infection is eliminated.

Share this post


Link to post

Csonicgo said:
Microsoft is the only ones who can fix this one.

I remember that, back when I worked as a technical support agent for MSN, a high level technician suggested that, based on the IPs it originated from, the Blaster worm exploit came from Microsoft itself because hitting the customers was the only reliable way to address vulnerabilities in a way that could get ahead of third party attackers. Maybe this one was made by Microsoft, too, but for other reasons :p

Share this post


Link to post

This one seems to be from China, again.
Here's the parasites blog from the first wave:

And the entry about the second wave...


And one on thelatest attacks. It's got a brand-new bag.

they're all related, which means that perhaps the attackers are learning from their previous mistakes...

Share this post


Link to post
Csonicgo said:

modifies the kernel at runtime


I'm no expert on OS design, but wouldn't limiting access to the kernel be a good idea?

Share this post


Link to post
Scet said:

I'm no expert on OS design, but wouldn't limiting access to the kernel be a good idea?


They apparently realized that after MS-DOS. It also seems strange to me that it can modify the kernel, but then again, I can't imagine what could the kernel do to stop a direct disk access writing certain things exactly where a certain .dll file lies...

Share this post


Link to post

That's the scary part. In all my years as a Mr. FixIt for everything from win95 to winNT, I have NEVER seen a virus like this from a drive-by download. Usually something this malicious would have to be willingly executed by the user. No more, apparently. Shit. Whoever programmed this thing is no mere Script kiddie. They know 0-day exploits.


EDIT : I have just been informed that this latest wave was a specific revenge attack. They were attacking the University Dr.Gary Warner (the guy who investigated the worm and found out where it was coming from and how it operated) taught at and compromised that University's webservers. The problem? He is a professor at the university I am enrolled in. He's MY PROFESSOR.


...I feel sick.

Share this post


Link to post

Why would Microsoft have to deal with it if the browser affected is by Google?

Share this post


Link to post
Csonicgo said:

This exploit could affect both Linux and Windows versions, but targets Windows at this time.

Out of curiosity, what's the attack vector for Linux? Through a browser and Google Updater still? You mention that it modifies the kernel during runtime. I have a hard time believing it'll modify the Linux kernel while it's running if you run your system properly (ie, not as root). Not saying I don't believe it at all, just that it's harder for me to believe.

Share this post


Link to post

The kernel claim sounds more like a misunderstanding. The virus' vector is Javascript injection and XSS attacks (pretty common) which lead/combine to a drive-by download (pretty common too, on IE at least). The "novelty" lies in that it downloads more smart executable code that allows it to fuck up webpages directly on servers, by using FTP passwords and modifying HTML files on-the-spot.

Probably it doesn't fuck up the "kernel" anymore than any other viruses do (some random dll will probably pop up somewhere and hide as a rootkit). If it does...well...that's a pretty bad thing to have a fucked up kernel.dll :-/

Although I suppose you can overwrite it with a good known copy if you use a bootable CD without deleting everything, assuming you remove any other infection mechanisms too (usually registry and startup).

Since Javascript works on any OS, it could infect Linux too if they have a suitable executable infector.

Share this post


Link to post

yeah, when I meant exploit, I meant the entire system. that includes the rootkits.

Edit: about replacing the kernel, the rootkit hides its binary code as miscellaneous values in the registry and hides the "reconstruction code" somehow as a run.. as far as I can tell. the only way to really kill it is to back up the registry every so often and apply the backups.

Why the registry isn't backed up by windows itself every so often is odd to me.

Share this post


Link to post
Csonicgo said:

Why the registry isn't backed up by windows itself every so often is odd to me.


Well, it actually is....by system restore points, which are promptly deleted and disabled by any decently-written virus ;-)

If you keep a recent full-file backup of the registry however (using a boot CD, not that lame-ass shitty registry export while windows is still running), and you can restore all system files from untouched copies (again, a boot CD and a file-by-file copy of the windows directory should work), I see no reason why you couldn't restore your system without reformatting.

Actually, a file-by-file copy of the c:\windows directory includes the registry (it's in system32\config, so you are set), but it's a pretty uncommon backup to perform, that's why it's not recommended as a sure-fire mass-remedy.

The only shitty thing could be if the virtual memory and the boot code (NTDETECT.COM etc.) are fucked up, including the HDs boot sector...but even those can be manually restored from "good" copies, and the virtual memory can be flushed. Hmm...I think I'm going to make a full-file backup of that shit tomorrow morning.

Share this post


Link to post

While NoScript provides some protection against this sort of shit, I'm backing-up my C: partition ASAP.

Mr. Chris said:

Why would Microsoft have to deal with it if the browser affected is by Google?

The new variant that attacks through Google Chrome is probably payback for Google blacklisting the originating website. In any case, why shouldn't Microsoft get involved - it's their OS that's under attack.

Share this post


Link to post
DJ_Haruko said:

Out of curiosity, what's the attack vector for Linux? Through a browser and Google Updater still? You mention that it modifies the kernel during runtime. I have a hard time believing it'll modify the Linux kernel while it's running if you run your system properly (ie, not as root). Not saying I don't believe it at all, just that it's harder for me to believe.

There is no Linux version. What you say is correct.

Presumably the kernel-modifying shenanigans don't work on Windows either if you're running as an unprivileged user.

EDIT: Apparently, it infects machines through a vulnerability in Acrobat Reader. Disable "Acrobat Javascript" and you're safe (who on earth wants that anyway?)

Share this post


Link to post

So long as they haven't found a similar vulnerability in Foxit Reader. <disables Javascript support>

EDIT - FileZilla saves passwords as plain text. SHIIIIIIT!!

Share this post


Link to post
GreyGhost said:

EDIT - FileZilla saves passwords as plain text. SHIIIIIIT!!

Anything that "saves passwords" is inherently insecure in the same way - even if you obfuscate the passwords on disk, it adds no security, because you have to be able to decrypt them again without entering a password.

In fact, Filezilla does the correct thing by storing them in plain text. To obfuscate them in an encrypted-but-insecure format would add a false sense of security. At least it's honest and doesn't mislead you.

The exception to this is "keyring" systems that store multiple passwords encrypted, requiring you to enter a single password to unlock the keyring. Gnome and Mac OS X both have these.

Share this post


Link to post
fraggle said:

Disable "Acrobat Javascript" and you're safe (who on earth wants that anyway?)


A better question to ask is "Why on Earth is that in Acrobat in the first place?".

fraggle said:

Presumably the kernel-modifying shenanigans don't work on Windows either if you're running as an unprivileged user.


You hit the nail on the head, and the reason why it got in in the first place is a) WinXP is Administrator account by default and (b) there is no obvious way to run a program with admin privileges using the unprivileged user's settings, due to stupid things like power profiles being admin-only operations. Of course it's possible now, but it's so deep into the OS that most users won't even see it, or know how to use it. This is retarded default behavior.

Share this post


Link to post
fraggle said:

Anything that "saves passwords" is inherently insecure in the same way - even if you obfuscate the passwords on disk, it adds no security, because you have to be able to decrypt them again without entering a password.

In fact, Filezilla does the correct thing by storing them in plain text. To obfuscate them in an encrypted-but-insecure format would add a false sense of security. At least it's honest and doesn't mislead you.

The exception to this is "keyring" systems that store multiple passwords encrypted, requiring you to enter a single password to unlock the keyring. Gnome and Mac OS X both have these.

To play a bit of a devil's advocate...

I think one thing to keep in mind is that saving them unencrypted on the disk opens up a hole: what if your computer is on, is not locked by a screensaver or something, and someone accesses those while you aren't there? Or you have the file open, looking at something else in the same file as your password (a totally plausible situation), and someone peeks over your shoulder? They're totally plausible situations. Encrypting them at least makes it so that they aren't human readable when they shouldn't be, and encrypting them with strong encryption at least makes them pretty secure against rainbow tables or other attacks. Any reasonable software should use secure memory when decrypting the password as well.

Plain text for passwords isn't bad, and sometimes the convenience outweighs the cons; it just has its own holes you have to deal with.

EDIT: I think it also depends on the purpose of the software. Fetchmail and Filezilla would connect to other services, so if the attacker's goal is to connect as you, then yes, encryption is useless.

Share this post


Link to post
DJ_Haruko said:

To play a bit of a devil's advocate...

I think one thing to keep in mind is that saving them unencrypted on the disk opens up a hole: what if your computer is on, is not locked by a screensaver or something, and someone accesses those while you aren't there? Or you have the file open, looking at something else in the same file as your password (a totally plausible situation), and someone peeks over your shoulder? They're totally plausible situations.

Except it still doesn't really add any proper security. If you forgot to lock your screen, instead of opening the password file, they could be copying it to their own machine or onto a flash drive for later decryption. The looking-over-your-shoulder thing doesn't really seem *that* likely; what would you be looking at in the same file as your password file? I guess it's the most plausible situation in which it would help, but you could always have a scenario where the guy looking over your shoulder has a photographic memory :-)

Encrypting them at least makes it so that they aren't human readable when they shouldn't be, and encrypting them with strong encryption at least makes them pretty secure against rainbow tables or other attacks. Any reasonable software should use secure memory when decrypting the password as well.

Nope, that's the point - it makes zero difference whether you're using plain text, ROT13, or AES256. There is no difference at all what encryption you use, because the insecurity is inherent in the design. The FTP client has to be able to decrypt the "encrypted" file, without prompting for a password (which would defeat the point). Therefore, it is always possible to write a program to do exactly the same thing and display the plain text password.

In the end it comes down to the fact that obfuscating passwords like this does nothing to protect them, but gives a false sense of security to the users, who might open the password file, and feel like they have some protection, when in fact they don't. Using plain text passwords is at least honest - "make sure you secure this file, because look, your passwords are right here".

Share this post


Link to post

I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.

Share this post


Link to post
Creaphis said:

I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.

He lies to you :O

In any case, I'm still using IE 8 IE 7 and I have most secondary options disabled lest I come across a situation where I should need them. This looks like one nasty bugger, but I'm not gonna worry since it's only going thru Google Chrome.

I should probably warn the people I know who DO use it though....

Csonicgo said:

You hit the nail on the head, and the reason why it got in in the first place is a) WinXP is Administrator account by default and (b) there is no obvious way to run a program with admin privileges using the unprivileged user's settings, due to stupid things like power profiles being admin-only operations. Of course it's possible now, but it's so deep into the OS that most users won't even see it, or know how to use it. This is retarded default behavior.


Sadly most people do run on their administrator accounts. I used to until I learned that you can limit the damage a virus does by using a limited account that doesn't have admin priveleges. However many people currently using Windows know that? Probably not a lot.

Share this post


Link to post
Creaphis said:

I've got Javascript enabled in all my browsers in the administrator's account I always use to surf. I trust the internet. He won't try anything against me. We go waaaay back and he knows it.

It's Javascript in PDF files that's the issue. Presumably, Adobe Reader has a built-in Javascript interpreter that hasn't had the same kind of exposure that the normal in-browser Javascript interpreters have had to the thousands of script kiddies out there looking for holes to exploit.

The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses. It's just something Adobe tacked onto their product so that they can say their product has new features. A classic example of how simple things are easy to secure, complicated things are difficult to secure.

Share this post


Link to post

fraggle said:
The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses

Indeed, it's there since version 3. That was a surprising realization.

Share this post


Link to post
Prince of Darkness said:

If I'm not using Google Chrome, would I be alright?

No. If you're not using Adobe Reader, or you disable Javascript in PDF files, you're safe.

Share this post


Link to post

Firefox FTW.

But in all seriousness.. Why do people use other Browsers... Firefox is 99% Safest Browser.. glad I installed firefox onto my dads laptop.. he used google one..

Share this post


Link to post

If you read the thread, you'd realize the exploit is caused by Acrobat loading a corrupted PDF file with javascript, meaning Firefox isn't any safer than Google Chrome or IE.

Share this post


Link to post
David_Dweedle said:

Firefox FTW.

But in all seriousness.. Why do people use other Browsers... Firefox is 99% Safest Browser.. glad I installed firefox onto my dads laptop.. he used google one..

Remind me again why you were unlosered?

Share this post


Link to post
fraggle said:

The reason for this, of course, is that Javascript in PDF files is something that nobody wants, needs or uses. It's just something Adobe tacked onto their product so that they can say their product has new features. A classic example of how simple things are easy to secure, complicated things are difficult to secure.


Not quite. We had an upcoming change to disable javascript in a government department due to the virus. As soon as the various branches heard about it, they got it canned as they used the feature extensively.

Share this post


Link to post

fraggle said:
No. If you're not using Adobe Reader, or you disable Javascript in PDF files, you're safe.

Funny thing is, on this system of mine, the latest Reader that works is 4.0, and the feature to disable the program's JavaScript was introduced in 6.0.

Still, I'm not sure if Firefox can open a PDF without the "what do you want to do with this file?" dialog. If it can't, I'm not too concerned about the vulnerability.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×