Major virus spyware activity Gumblar Vundo overlay.xul
Jan this year was fun, a variant of Vundo and Gumblar came roaring back. It infected my desktop and 70 of my websites before I know it was even here. It happened on Jan 14th to me, but looks like it was unleashed around December 2009 January 2010. It redirected google results to ad pages but not all of the time if I backed out and clicked again it would let me through. From what I can tell this is the largest attack in a while and a major security breach, stealing passwords and usernames from all kind of programs, ftp seems like its preferred data so it can spread itself and take over your websites.
Here is a link to the tool I used to remove the rogue code from over 7000 files it infected of mine in 1 day. http://justcoded.com/article/gumblar-family-virus-removal-tool/
I believe mine came in with a variant of the Vundo trojan and installed a variant of the gumblar spyware.
http://en.wikipedia.org/wiki/Gumblar<
http://en.wikipedia.org/wiki/Vundo<
It seems to be Asia and now migrating to the U.S.
;Gumblar botnet builder resurfaces with a vengeance<
http://www.mxlogic.com/securitynews/viruses-worms/gumblar-botnet-builder-resurfaces-with-a-vengeance335.cfm
Thursday, January 7, 2010
Though security researchers had believed it to be more or less dormant, the Gumblar malware came storming back into prominence at the turn of the decade, performing what Softpedia calls a “mass injection attack” on computers and websites around the world.
Sunday, Jan. 10, 2010
Police begin Gumblar virus probe
http://search.japantimes.co.jp/cgi-bin/nn20100110a7.html
Kyodo News
Tokyo police have begun investigating suspected cases of unauthorized Internet access after a number of companies reported that their Web sites had been altered, apparently by the Gumblar computer virus and its variants, Metropolitan Police Department officials said.
The department’s high-tech crime investigators believe IDs and passwords were used to access the sites in many of the cases that have been reported since mid-December. Viewers of these altered sites were redirected to other Web sites containing malicious software.
Hackers Compromise Fox Sports Website
http://www.spamfighter.com/News-13713-Hackers-Compromise-Fox-Sports-Website.htm
According to a warning released by security researchers, the Fox Sports website, an integral part of the Fox Broadcasting Company, has gone under the control of unknown hackers. The hackers injected malware inside the ‘custom error’ section of the site. Two different malicious codes have been found, each as a result of a different infection.
and the best article I found so far is from Scansafe -
To load the malware from the backdoored websites, tens of thousands of other compromised websites have had malicious iframes embedded. Alarmingly, Web surfers who visit one of these conduit sites will be exposed to a collection of exploits designed to silently install the Gumblar malware. On Windows systems, the installed malware loads when sound-enabled sites or devices are accessed. It also injects itself into the Internet Explorer process and intercepts all Web traffic to and from the computer. Any captured FTP credentials are sent to the attacker thus furthering the growth of the Gumblar website botnet.
