|Home » Learning Curve » Red Hat Diaries
All Quiet on the Windows Front?
Yeah things are really quiet over there.
Ladies and gentlemen, mesdames et messieurs, meine Damen und Herren, дамы и господа - Unix users everywhere: the hapless crew at Microsoft have perpetrated yet another disaster on the Internet we all use.
This one's called 'Gumblar', it's already morphing, and it's considered a bigger disaster than Conficker.
Normally you wouldn't run into this sort of thing because as a Unix user you wouldn't be frequenting all those hopeless Windows sites where reporters have been going ballistic for nigh on two months now. But still and all it's out there.
A quick (uninfected) search at Google reveals dozens upon dozens of hysterical articles all warning - yet again - of approaching Armageddon. All it does to you Unix users is annoy. And pollute the Internet with useless detrimental activity.
Of course you're not about to see any of these Windows-centric sites pointing that out. You have to read between the lines as per usual.
You have to run into things such as the following.
If you suspect that your computer is infected with Gumblar, CHECK:
Step 1. Find sqlsodbc.chm in your Windows system folder (by default the location is C:\Windows\System32\).
Step 2. Obtain the Sha1 of the installed sqlsodbc.chm. You can use a free tool such as FileAlyzer to obtain the SHA1 of a file.
Step 3. Compare the obtained Sha1 with this list, released by Microsoft recently to check for Gumblar attack.
Step 4. If your SHA1 along with its size don't correlate with one pair of the list below it could be a sharp sign of Gumblar infection.
Now right away you might realise you've never heard of files with the extension CHM. And that would be because you're not stupid enough to run Windows. CHM files: an actual Microsoft de novo invention - an invention they not only use but actually didn't steal for once. And it shows.
CHM files are 'compiled' HTML files. Only Microsoft would come up with something so stupid. Only Microsoft would attempt even here to corrupt open standards. CHM files are normally application 'help' files but of course can be used for anything.
Such as spreading malware such as Gumblar.
The name 'sqlsodbc.chm' evidently really exists on Windows systems. The name implies it has something to do with SQL and also with ODBC (open database connectivity - one of the ways Microsoft temporarily lured people away from Unix at the end of the last millennium).
But the file can evidently be corrupted. And this is where your warning lights should start blinking and your sirens start screaming.
C'mon In - Windows is Defenceless!
Look at that path location again. C:\Windows\System32. That's the Windows 'system' directory. That's where all the really important files are located. Something like your /bin, /sbin, /usr/bin, /usr/sbin, and (on Mac OS X) /System.
Now see if you can get into any of your own system directories. Just see if you can obtain write privileges without escalation. Nope. Won't work. Now look at that Windows scenario again.
The above instructions - reproduced accurately including the typos - make it clear a rogue process was able to modify what's supposed to be a crucial system file.
Now a compiled HTML file might not be what you'd regard as 'crucial'. But it shouldn't be executable either. And in fact no one should be allowed to even breathe hard on anything in an operating system's inner sanctum, no matter what it is.
Besides: a CHM file is not an executable - to make it executable on a 'good' system like Unix would require changing file permissions. But that's obviously no big deal over there on Windows.
The final insult comes when you realise those lusers got Gumblar on their systems through a 'drive by download' attack - all they did was visit an infected website. There were no buttons to click - it was all 'automatic'.
And they typically didn't notice a thing.
Gumblar will try to install malicious programs which manipulate Google search result pages when viewed by Internet Explorer.
Of course you might ask how even Windows lusers can be so stupid as to not at least use Firefox. But your protests would fall on deaf ears.
You can only resign yourself to the fact these idiots are once again ruining the neighbourhood.
Not a Major News Item
To get an idea of how much hysteria this Gumblar has caused:
'Gumblar' attacks spreading quickly
Gumblar attack worse than Conficker, experts warn
Gumblar Google-poisoning attack morphs
'Gumblar' PC virus targets Google users, warn experts
Gumblar .cn Exploit - 12 Facts About This Injected Script
Google result-manipulating Gumblar exploit picking up steam
Gumblar - An Analysis and History
Gumblar Invades Best Buy
Inside the Massive Gumblar Attack
'Gumblar' website compromises increase 188 percent this week
Google rates Gumblar distribution URL as top malware site
Thought the Conficker Virus Was Bad? Gumblar Is Even Worse
'Gumblar' Hacked Sites Install Google-targeting Malware
Gumblar - An Update
A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe
'Gumblar' Computer Virus A Growing Threat
Gumblar's obfuscation technique
Gumblar compromise growth continues
'Gumblar' attack explodes across the web
'Gumblar' web attacks spreading quickly
Stolen FTP Credentials Key to Gumblar Attack
Gumblar Exploit is the Most Prevalent Web Threat
Gumblar: The malware that is sweeping the nation
[b]Viral Web Infections using Malware? Gumblar is, Unfortunately, Just Another Day on the Web[/b]
Security experts warn on mutating Gumblar worm
Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches
Google Safe Browsing diagnostic page for gumblar.cn
Google vs. Gumblar: Search Engine Abused in New Round of Stealthy Attacks
Gumblar Exploit and What Every Webmaster Should Know
Gumblar hitting Googlers hard
'Gumblar' attack explodes across the web
Removal and Prevention of Gumblar.cn Infections
Gumblar Finds Successor, Continues Info Stealing Spree
Experts: Gumblar attack is alive, worse than Conficker
And it's all Windows. It's all Microsoft. It's all Mister Bill. Once again. It's never anything else.
You'll never find many of these lusers admitting it though. There are two reasons.
- They're hopelessly clueless and totally Windows-centric and they assume everybody has the same issues.
- They're journalists or so-called 'security experts' for the Windows security cottage industry and they know it's in their own best interests to keep hush about it.
Mister Bill has five (5) supposed 'chief security analysts' posted about the globe to contain the PR damage. They're in the US, Canada, the UK, Australia, and EMEA (Europe/middle east/Asia).
They don't do much to help poor Microsoft out. But they make sure the media and the governments are kept in check.
And they try to silence sites such as this one where people dare speak the truth.