Hi malware fighters,

Re: hxtp://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html
Gumblar is a multi-layered attack vector that infects through vulnerable Adobe software and tries to steal FTP data to try and infect websites, also tries to manipulate their Google results - i.e. SERP’s. When website owners try to clean their sites out further infection will spread. As far as 188.000 sites have been infested through this attack from gumblar a chinese domain, the virus is called after. For the details of this infection re:

hxtp://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

polonus

this one is quite nasty … obviously the attacks complexity is increasing each quarter …

obviouly the first step for being secure against this one is get rid of Adobe Acrobat completely (use FoxIT)

p.s. i just realized FoxIT also supports javascript for PDF (i got it disabled but i assume by default it’s on)…
any idea if is it vulnerable too ? problem i see …

Dwarden,

For protection against these malcode related Internet threats like this one I also suggest using FireFox 3 with the NoScript plugin (Never use the “allow all this page” option. If you need scripts, allow trusted domains one by one. This way your browser will never load external scripts and iframes with trojans), additionally you can use RequestPolicy extension inside Fx or flock.

I haven’t seen a script related vulnerability be it either past, present or future that has not been stopped from running and so doing harm by NoScript, all the browser can read and run, NoScript can read and prevent from running, also we have the additional protection from the avast’s shield, so secure.
Well I agree with you to abstain from Adobe as it has been plagued with vulnerilities and security issues so often in the past, that I also would opt for another less vulnerable reader,

polonus

I’ve just checked my settings (version 3.0 build 1506) and it is disabled, I don’t believe I changed it so it could be it is disabled by default.

thx DavidR, maybe i installed and enabled it sometime in past time …
(or check update in FoxIt and see if you got there javascript module to install or not)

Hi Dwarden,

For the latest news on the various gumblar.cn parasite-code, go here:
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
About the Foxit exploits: https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Foxit-PDF-Reader-is-Being-Exploited-in-the-Wild-So-Now-Where-Do/ba-p/393337;

polonus

Pol, you need to modify your Foxit link, removing the ;jsessionid= and the rest.

However, as the article mentions, this vulnerability has been patched, so ensure you have the latest version of FoxItPDF Reader.

Hi DavidR,

I know it had been patched, but there are users out there that haven’t patched their third party software as we use to through Secunia PSI.

Gumblar is an ongoing multi-layer online malcode threat that uses various exploits as it is being further “developed” by the malcoders. Unmask.parasites blog has reported on these evolving versions.

Users should now understand that safe surfing on the Internet by going to reputable secure sites is no longer possible without scanning EVERY (forgive me the loud spelling!) link they are about to click on, because cybercrime is all over the net to infest websites.

A lot of user browser users still have to wake up to this new situation, and act accordingly. If this posting attributes a bit towards this awareness, I think it was right to place it here,

pol