Thursday, June 11, 2009

Big-name sites spread latest malware infections

Big-name sites spread latest malware infections

Susan Bradley By Susan Bradley

Going by such names as Gumblar, JSRedir-R, Martuz, and Beladin, a new generation of malware has managed to surreptitiously place malicious JavaScript code on tens of thousands of popular Web sites.

The hacker scripts try to infect site visitors and then attempt to use their compromised PCs to spread the infection to yet other sites.

Over the past month, the security services ScanSafe and Sophos have reported infections on such major Web sites as,, and Niels Provos reported in the Google security blog on June 3 that sites infected with Gumblar numbered about 60,000. Visitors became susceptible to infection simply by opening the sites in Internet Explorer.

After the script infects a PC, it attempts to spread its code to any Web site accessible via that machine's FTP client, if one is present. Webmasters often use FTP to make changes to the sites they manage. If FTP software is configured to save a webmaster's sign-in information, the malware can edit itself into a Web site's pages.

Once a PC is running this class of malware, the hacker code tries to trick the user into opening infected PDF and Flash files. If the PC has an unpatched version of Adobe Reader, Acrobat, or Flash, opening an infected file can install a keylogger or other malware. In the case of Gumblar, Google search results in an Internet Explorer window are rewritten — in a way that end users may not notice — so the links point to hacker sites laden with infected PDF and Flash.

Security firms have made efforts to block domains that serve as malware destinations in this latest round of attacks. But the bad guys quickly move to substitute other domains in what has been compared to a game of Whack-a-Mole.

Meanwhile, it's not so easy to shut down a well-known, legitimate site that's infected (although many such sites have quickly been cleaned up). You can't protect yourself simply by visiting only "trusted" sites, because there's no easy way for an end user to determine whether a legitimate site is infected.

Fortunately, you can stack the odds in your favor by following the guidelines in the Windows Secrets Security Baseline:

* Step 1: Use a hardware firewall.
* Step 2: Install a set of security software.
* Step 3: Scan your system regularly with a software-update service (more on these below).
* Step 4: Use Mozilla's Firefox or Google's Chrome browser, both of which are more secure than Internet Explorer.

The rise of a new form of Web-based threat

On May 27, the Microsoft Malware Protection Center blog reported that a malware family Microsoft refers to as Gamburl and Redir was infecting legitimate Web sites by embedding malicious scripts in the sites' HTML code. A system running Windows XP could become infected simply by opening a seemingly trustworthy site. (Gumblar, also called JSRedir-R and Martuz, doesn't affect Vista PCs, according to the Unmask Parasites blog.)

Once an XP machine is infected, passwords for FTP sites are retrieved and placed into a file called sqlsodbc.chm. This file is a legitimate SQL help file in Windows XP and 2000, but it's not used on Vista machines.

To determine whether Gumblar has struck your PC, test sqlsodbc.chm, which is located in XP's C:\Windows\System32 folder:

* Step 1. Download the free FileAlyzer program from the Softpedia site and install the program on your system.

* Step 2. Press the Windows key and E to open an Explorer window. Navigate to the C:\Windows\System32 folder, right-click the sqlsodbc.chm file, choose Analyze file with FileAlyzer 2, and note the file size and SHA1 hash value. (See Figure 1.)

FileAlyzer file-check utility
Figure 1. The FileAlyzer utility checks the sqlsodbc.chm file to determine whether your PC is infected with Gumblar.

* Step 3. Compare the file size and SHA1 hash value with the listing of good file types published on the Microsoft Malware Protection Center blog. If the file doesn't check out, update your machine's anti-malware software and run a full system scan. The scan should find and clean out the infection. On my test PC, the sqlsodbc.chm file had the expected values, which proved that the system wasn't infected.

Once your copy of sqlsodbc.chm comes up clean, you need to take steps to ensure that it stays that way. Download the latest virus definitions for your antivirus software. Also, ensure that Adobe Reader, Acrobat, Flash Player, and all your other third-party media players and applications have the latest patches.

Home and small-business users can run a free update checker such as Shavlik Patch, which you can download from the vendor's site. (Note that the program requires the free Google Desktop, which is available on Google's site.) A complete review of Shavlik Patch and several competing update programs is in my May 28 top story.

For business networks, I recommend Shavlik's NetChk Protect. I use this utility — which costs from U.S. $104 for two seats — to patch my own firm's network. You can find information about NetChk Protect on Shavlik's site.

For an added measure of protection, configure your PC to use the OpenDNS service, which lets you block categories of sites that you don't visit. You'll find complete instructions for making the required changes to your router on the OpenDNS tutorial page.

To make OpenDNS your DNS server, you can run your router's advanced settings program and manually set its DNS options to and (See Figure 2.)

OpenDNS settings dialog
Figure 2. Make OpenDNS your primary and secondary DNS server in your router's DNS settings to block potentially dangerous sites.

It's theoretically possible to manually enter in the OpenDNS settings page the URLs of sites you want to block. But trying to keep up with the latest list of Gumblar sites is nearly impossible. ScanSafe's STAT Blog indicates that the rate of Gumblar infection is slowing. But new infected domains — all of which use China's .cn top-level domain — are popping up as fast as others are being shut down.

Boost XP's defenses against Gumblar-like attacks

If you feel your XP system needs more protection — for example, you own a PC used by unsupervised teenagers — consider creating user accounts that lack administrator privileges. Granted, XP's limited accounts are often a pain to use because they restrict downloads, settings changes, and other common actions. An article on Microsoft's site explains limited user accounts and describes how to set them up.

Fortunately, the type of limited accounts in the forthcoming Windows 7 will be much easier to use. This is because the most common applications will run properly under Win7 without administrator rights. Steve Friedl's site includes a Tech Tip that describes Windows 7's enhanced User Account Control.

Gumblar definitely makes Web surfing with Internet Explorer more hazardous. If your PC is infected, merely searching in Google for seemingly innocent topics can lead you to a site you never intended to visit.

Google's Niels Provos recommends in his Top 10 Malware Sites blog that people use Firefox, Chrome, or another browser that taps into Google's Safe Browsing API. The API blocks Web destinations on Google's list of potentially dangerous sites, which the company claims to update continuously.

Here are some additional ways you can protect yourself:

* Make a full system backup. Create a backup of your PC using drive-imaging software such as the $50 Acronis True Image Home. (A 15-day free trial can be downloaded from the Acronis site.) Be ready to roll back to a prior image should your PC become infected.

* Use Windows SteadyState. This free program "freezes" a machine, preventing changes that could be harmful. For more information and a download link, visit the product page on Microsoft's site. (Windows Genuine Advantage validation is required for the download.)

* Browse in a sandbox. WS senior editor Ian "Gizmo" Richards described free sandbox programs in an Oct. 16, 2008, article. A sandbox lets you open suspicious links without putting your system's security at risk.

* Don't use Internet Explorer. All versions of IE are vulnerable to Gumblar and similar Web threats, but especially IE 6 is an infection waiting to happen. If a site or application requires Internet Explorer, update to IE 8 if you can. If you can't, download IE 7 as a bare minimum (although it's by no means a remedy). You can download IE 7 from Microsoft's Download Center and IE 8 from the browser's page on Microsoft's site.

If you simply must use IE 6 because some site or application requires it, urge the errant developers to make their code support the latest version of IE instead.

For tips on running and optimizing Firefox, Chrome, and other non-IE browsers — including OpenDNS and the security-enhancing NoScript extension for Firefox — see a comprehensive six-part article at

Some of the above precautions may sound like paranoia, but I consider them the digital equivalent of locking your car doors and staying out of dark alleys.

No comments: