About the javascript trojan that is infecting sites

[farcaster]

Because of the many posts that we have seen lately about sites being hacked, I have decided to post this article about the Gumblar Trojan that has been referenced, with Early Out's approval. I am a retired Network Manager and system Email Administrator, and did this for many many years. Security and identification of many threats were always at the top of my task list, along with notifying thousands of users of the potential consequences. So here is my nickels worth on this subject. If you have been hit with this, then there are some guidelines below. If you haven't, then count your blessings and read the guidelines. They may prevent you from being hit with this one.

It only took a little bit of looking and reading to see what is going on here. There is a trojan running rampant on the internet right now, and according to some sources, is one of the worst we have seen in a long time. This trojan has a couple of names, depending on where you read about it. Most call it Grumblar. Other names I have seen are Grumblr and JSRedir, where JSRedir stands for - yes - you guessed it - javascript redirection.

What it is not:
This is not a cross-site scripting (XSS) attack. This is also not an insecure server on a hosting site. There is nothing that any hosting site can do to prevent this, as you will see later. It's your responsibility and your problem if you get hit with it.

Where is it:
You will find this trojan embedded inside your site pages, and it's heavily obfuscated JavaScript, as some of you have seen and reported. It has been found inside .html, .php and .asp pages.

Also on your browser, for search purposes.

When did this start:
The initial attacks, done in multiple stages, began in March, when some websites were initially compromised and the attack code was embedded in them. In May the attackers replaced the original simple code with a dynamically generated code, which was also obfuscated. Since the code was dynamic, each page that was infected had different code, thus different signatures, making it extremely hard, if not impossible, for scanner tools to find on web sites.

What does it do:
The scripts that get installed make an attempt to use vulnerabilities in the Adobe Acrobat Reader for PDF's and the Flash Player. It uses this to deliver code that inserts malicious search results when a user searches Google using the Internet Explorer.

The code also also goes through your computer looking for FTP credentials and sends this back to the attackers. This would be your username and password to ANY sites that you maintain at ANY hosting site. The attackers can use this to gain direct access to your site files to insert more malicious code into your files, causing you to get blacklisted by the Google search engine.

How did it get there:
When you visit a site that has been infected (and there are thousands and thousands at this point) the JavaScript embedded in the site loads a PDF and Flash Player exploit to your browser. If you have JavaScript turned on, and your system in NOT up to date with all the Adobe patches, your computer will now be infected. It's that simple. The attackers now have access to your site as mentioned above, and redirects your Google searches. Why redirect searches? Simple - it's money - they are getting paid for hits on malicious sites.

What can an infected site owner do:
1. Clean your PC. This may involve using your virus protection program if it's effective for this trojan. One site I researched stated good results were obtained from Malwarebytes - malwarebytes.org - there is a free version plus a paid version. I did not check to see if the free version works for this trojan.

1a. If you cannot clean your computer this way, then you may have to resort to the reformat and reinstall of the operating system and all of your utilities.

1b. Install and use a good realtime antivirus program and firewall that performs intrusion detection of some sort, at least.

2. Using a clean computer, IF you can guarantee it is clean, and change all of your FTP passwords.

2a. DO NOT store your passwords back into your programs. If need be, write them on a piece of paper and stuff that in your wallet/purse.

3. Reload your website with clean fresh pages - the ones you backed up before you reformatted your hard drive.

4. If possible, use SFTP instead of FTP.

5. Keep your script installations up to date with patches as soon as possible when they are announced. Also, when you install scripts, make sure that you remove the install script and perform other recommended security tasks that the software authors recommend. Do your research ahead of time on what you are placing on your site. It's public access, people - hackers included.

6. Stay current with updates to your operating system and utility packages.

Wrap up:
I hope some of this helps someone out there, calms down those people that have have been hit, and helps everyone understand the cause and effects of this trojan. In this article, I have refrained from mentioning operating systems. I have been operating on the Mac for a few years now, and I do not consider it immune. This is a javascript that runs in browsers, and goes after Adobe products, common ones, PDF Reader and Flash Player. We all know that Windows is the major target of viruses and trojans, but keep in mind this one is web based.

If you care to read more about this, perform a google search on Grumblar. When you are tired of reading all of that, do one on JSRedir.

Cheers

[Early Out]

To get the latest version of the Flash player, go here: http://get.adobe.com/flashplayer/

If you have version 9 of the Acrobat PDF Reader, launch it, then choose Help, Check for Updates, and download and install whatever's available.

If you have an earlier version of the Acrobat PDF Reader, go here, instead, and install the latest: http://get.adobe.com/reader/

None of this will get rid of the infection if you've already managed to pick it up, but may prevent an exploit if you're still "clean."

[Early Out]

If you want to discuss this infection on your PC and/or site, please start a new, separate thread about it. Thanks.