By Jordy Berson, group product manager, ZoneAlarm products
We just got the results in from our malware testing team. We don’t like to claim victory early, even when we are fairly certain of a win. But now we know (Technical details are in the last paragraph for the “just the facts” folks).
“Are you ready to ruuumble??”
To be sure, it wasn’t the best fight. ForceField won. Easily. There wasn’t even any contact. It made for a snoozer of a fight. But a snoozer is exactly what you want when your identity and security are at risk.
Here’s how it went down:
The victim user went to one of many possible sites. So far, more than 3,000 Web sites have been attacked including a popular entertainment site and sports site. The second the victim arrived on the infected site, Gumblar was waiting. And not for a fair fight.
When you cannot even see the enemy, what chance do you have?
Far from facing its victims, Gumblar sneaks right past you, through a vulnerability in your computer software. Normally, the fight would end here. Gumblar would find a quiet place on your computer and take over. He could then do any number of things as these types of threats do. He could spy on you, watch what sites you go to, record everything you type, open doors to let some of his friends onto your computer, and use *your* computer to attack other computers!
But not this time
The enemy Gumblar faced was ForceField. Not brawny, but definitely wise and clever, ForceField saw right through that invisible cloak and instantly knew Gumblar was an uninvited guest. So when Gumblar snuck onto the victim computer, ForceField did a classic sneak attack of its own. Gumblar ended up on the victim computer, sure enough, but landed straight in jail. Here, Gumblar was completely isolated from the rest of the computer and was unable to do anything at all. This maneuvering on ForceField’s part was done automatically – you as a user had to do nothing to protect yourself.
So were you a victim or not?
· First of all, it is more likely you did NOT hit a Gumblar-infected site than you did**. So take a breath and read on.
· People using ZoneAlarm ForceField as a trial or who own ZoneAlarm ForceField are protected. Right on!
· People using ZoneAlarm Extreme Security get the protection of ForceField as well. But in ZoneAlarm Extreme, you have to activate the virtualization protection as it’s off by default. Go to the Browser Security panel of ZoneAlarm Extreme, click the Settings button, and make sure there’s a checkbox next to “Enable Virtualization.”
· If you are running ZoneAlarm anti-virus: ZoneAlarm anti-virus signatures have been updated to offer an additional layer of automatic protection against Gumblar.
· If you weren’t running ForceField virtualization, see my previous blog “Gumblar – Not a new Parker Brothers game” for details on how to know if you’ve been infected.
**The likelihood of falling victim to a single attack is low. But because there are so many attacks out there, the likelihood you’ll hit one eventually is much greater. So protect yourself! Even if you don’t run ForceField, at least make sure all the software on your computer is always up-to-date!
Gumblar versus ForceField: Just the facts
· We were able to locate an actual Gumblar attack and test ForceField against it. ForceField successfully defended the computer against Gumblar.
· ForceField used virtualization to redirect the automatic, hidden drive-by download so it could not run on the victim computer. It also used heuristics to label the host site as suspicious and warn the user not to download anything from the site or enter personal information into the site (this was done in case Gumblar had a social engineering component to its attack in addition to the drive-by download attack, which in this case it did not).
· Based on this successful test, it is very likely ForceField protects from other variants of Gumblar (though it is the nature of this quickly-evolving business that nobody can ever be 100% certain).
· ZoneAlarm anti-virus signatures have also been updated to offer an additional layer of automatic protection against Gumblar.
· As always, users should ensure they have the latest version of their browser, operating system, Adobe software, and all other software including security software.
Test conditions we used:
1. IE v. 7.0.5730.11
2. Adobe Reader v. 9.0.0
3. ForceField v. 126.96.36.199