All Quiet on the Windows Front?

Yeah things are really quiet over there.

Get It Try It

Ladies and gentlemen, mesdames et messieurs, meine Damen und Herren, дамы и господа - Unix users everywhere: the hapless crew at Microsoft have perpetrated yet another disaster on the Internet we all use.

This one's called 'Gumblar', it's already morphing, and it's considered a bigger disaster than Conficker.

Normally you wouldn't run into this sort of thing because as a Unix user you wouldn't be frequenting all those hopeless Windows sites where reporters have been going ballistic for nigh on two months now. But still and all it's out there.

A quick (uninfected) search at Google reveals dozens upon dozens of hysterical articles all warning - yet again - of approaching Armageddon. All it does to you Unix users is annoy. And pollute the Internet with useless detrimental activity.

Of course you're not about to see any of these Windows-centric sites pointing that out. You have to read between the lines as per usual.

You have to run into things such as the following.

If you suspect that your computer is infected with Gumblar, CHECK:

Step 1. Find sqlsodbc.chm in your Windows system folder (by default the location is C:\Windows\System32\).
Step 2. Obtain the Sha1 of the installed sqlsodbc.chm. You can use a free tool such as FileAlyzer to obtain the SHA1 of a file.
Step 3. Compare the obtained Sha1 with this list, released by Microsoft recently to check for Gumblar attack.
Step 4. If your SHA1 along with its size don't correlate with one pair of the list below it could be a sharp sign of Gumblar infection.

Now right away you might realise you've never heard of files with the extension CHM. And that would be because you're not stupid enough to run Windows. CHM files: an actual Microsoft de novo invention - an invention they not only use but actually didn't steal for once. And it shows.

CHM files are 'compiled' HTML files. Only Microsoft would come up with something so stupid. Only Microsoft would attempt even here to corrupt open standards. CHM files are normally application 'help' files but of course can be used for anything.

Such as spreading malware such as Gumblar.

The name 'sqlsodbc.chm' evidently really exists on Windows systems. The name implies it has something to do with SQL and also with ODBC (open database connectivity - one of the ways Microsoft temporarily lured people away from Unix at the end of the last millennium).

But the file can evidently be corrupted. And this is where your warning lights should start blinking and your sirens start screaming.

C'mon In - Windows is Defenceless!

Look at that path location again. C:\Windows\System32. That's the Windows 'system' directory. That's where all the really important files are located. Something like your /bin, /sbin, /usr/bin, /usr/sbin, and (on Mac OS X) /System.

Now see if you can get into any of your own system directories. Just see if you can obtain write privileges without escalation. Nope. Won't work. Now look at that Windows scenario again.

The above instructions - reproduced accurately including the typos - make it clear a rogue process was able to modify what's supposed to be a crucial system file.

Now a compiled HTML file might not be what you'd regard as 'crucial'. But it shouldn't be executable either. And in fact no one should be allowed to even breathe hard on anything in an operating system's inner sanctum, no matter what it is.

Besides: a CHM file is not an executable - to make it executable on a 'good' system like Unix would require changing file permissions. But that's obviously no big deal over there on Windows.

The final insult comes when you realise those lusers got Gumblar on their systems through a 'drive by download' attack - all they did was visit an infected website. There were no buttons to click - it was all 'automatic'.

And they typically didn't notice a thing.

Gumblar will try to install malicious programs which manipulate Google search result pages when viewed by Internet Explorer.

Of course you might ask how even Windows lusers can be so stupid as to not at least use Firefox. But your protests would fall on deaf ears.

You can only resign yourself to the fact these idiots are once again ruining the neighbourhood.

Not a Major News Item

To get an idea of how much hysteria this Gumblar has caused:

'Gumblar' attacks spreading quickly
http://news.cnet.com/8301-1009_3-10244529-83.html
ISS: Gumblar
http://www.iss.net/threats/gumblar.html
Gumblar attack worse than Conficker, experts warn
http://news.zdnet.com/2100-9595_22-306268.html
Gumblar Google-poisoning attack morphs
http://www.theregister.co.uk/2009/05/19/gumblar_google_poisoning_update/
'Gumblar' PC virus targets Google users, warn experts
http://www.guardian.co.uk/technology/2009/may/22/gumblar-google-malware
Gumblar .cn Exploit - 12 Facts About This Injected Script
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
Google result-manipulating Gumblar exploit picking up steam
http://arstechnica.com/security/news/2009/05/gumblar-exploit-hijacking-websites-and-picking-up-steam.ars
Gumblar - An Analysis and History
http://securitylabs.websense.com/content/Blogs/3401.aspx
Gumblar Q&A
http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
Gumblar Invades Best Buy
http://blog.trendmicro.com/gumblar-invades-best-buy/
Inside the Massive Gumblar Attack
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
'Gumblar' website compromises increase 188 percent this week
http://www.scmagazineus.com/Gumblar-website-compromises-increase-188-percent-this-week/article/136836/
Google rates Gumblar distribution URL as top malware site
http://www.scmagazineus.com/Google-rates-Gumblar-distribution-URL-as-top-malware-site/article/138004/
Thought the Conficker Virus Was Bad? Gumblar Is Even Worse
http://www.switched.com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar
'Gumblar' Hacked Sites Install Google-targeting Malware
http://www.networkworld.com/news/2009/051509-gumblar-hacked-sites-install-google-targeting.html
Gumblar - An Update
http://securitylabs.websense.com/content/Blogs/3414.aspx
A Few More Facts About the Gumblar Attack From SophosLab and ScanSafe
http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/
'Gumblar' Computer Virus A Growing Threat
http://www.cbsnews.com/stories/2009/05/29/tech/cnettechnews/main5047992.shtml
Gumblar's obfuscation technique
http://viruslab.blog.avg.com/2009/05/gumblars-obfuscation-technique.html
Gumblar compromise growth continues
http://www.virusbtn.com/news/2009/05_20a.xml
'Gumblar' attack explodes across the web
http://www.v3.co.uk/vnunet/news/2242317/gumblar-attack-explodes-web
'Gumblar' web attacks spreading quickly
http://news.zdnet.com/2100-9595_22-303166.html
Gumblar Grumbling
http://blog.threatfire.com/2009/05/gumblar-grumbling.html
Stolen FTP Credentials Key to Gumblar Attack
http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/
Gumblar Exploit is the Most Prevalent Web Threat
http://news.softpedia.com/news/Gumblar-Exploit-is-the-Most-Prevalent-Web-Threat-111701.shtml
Gumblar: The malware that is sweeping the nation
http://www.threatpost.com/blogs/gumblar-malware-thats-sweeping-nation
[b]Viral Web Infections using Malware? Gumblar is, Unfortunately, Just Another Day on the Web[/b]
http://www.symantec.com/connect/blogs/viral-web-infections-using-malware-gumblar-unfortunately-just-another-day-web
Security experts warn on mutating Gumblar worm
http://www.cbronline.com/news/security_experts_warn_on_mutating_gumblar_worm_260509
Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=217500218
Google Safe Browsing diagnostic page for gumblar.cn
http://www.google.com/safebrowsing/diagnostic?site=gumblar.cn
Google vs. Gumblar: Search Engine Abused in New Round of Stealthy Attacks
http://www.eweek.com/c/a/Security/Google-vs-Gumblar-Search-Engine-Abused-in-New-Round-of-Stealthy-Attacks-664608/
Gumblar Exploit and What Every Webmaster Should Know
http://www.web-hosting-newsletter.com/2009/06/15/gumblar-exploit-and-what-every-webmaster-should-know/
Gumblar hitting Googlers hard
http://www.daniweb.com/blogs/entry4339.html
'Gumblar' attack explodes across the web
http://www.itnews.com.au/News/145133,gumblar-attack-explodes-across-the-web.aspx
Removal and Prevention of Gumblar.cn Infections
http://www.bleuken.com/2009/05/06/removal-and-prevention-of-gumblarcn-infection/
Gumblar Finds Successor, Continues Info Stealing Spree
http://blog.trendmicro.com/gumblar-finds-successor-continues-info-stealing-spree/
Experts: Gumblar attack is alive, worse than Conficker
http://news.cnet.com/8301-1009_3-10251779-83.html

And it's all Windows. It's all Microsoft. It's all Mister Bill. Once again. It's never anything else.

You'll never find many of these lusers admitting it though. There are two reasons.

1. They're hopelessly clueless and totally Windows-centric and they assume everybody has the same issues.
2. They're journalists or so-called 'security experts' for the Windows security cottage industry and they know it's in their own best interests to keep hush about it.

Mister Bill has five (5) supposed 'chief security analysts' posted about the globe to contain the PR damage. They're in the US, Canada, the UK, Australia, and EMEA (Europe/middle east/Asia).

They don't do much to help poor Microsoft out. But they make sure the media and the governments are kept in check.

And they try to silence sites such as this one where people dare speak the truth.