By Jordy Berson, group product manager, ZoneAlarm products
Is it an outrageously fun new board game that combines Jenga and Cranium to test your right brain, left brain and "Parkinson's-proneness" all at once? No. But this fun-sounding little guy could test your computer security, your identity theft protection and your ability to reformat your computer. And it could definitely bring outrage!
Gumblar is another multi-faceted, everywhere-you-want-to-be online, ninja-quiet Web site attack that can wreak havoc on your life. It begins in what seems to be one or a combination of Russian, Latvian and Chinese kitchens where it is then embedded into vulnerable Web sites. Which Web sites? So far, ones you've probably never heard of. But if we know anything about such attacks, we know any Web site can fall victim. Google, Yahoo, and the Miami Dolphins are just a sampling of sites that have been compromised by other attacks. (So yes, it can happen to you.)
So…what's the big deal?
Well, news says (CNET by Elinor Mills, CBR by Kevin White, plenty more) Gumblar sneaks onto your PC when you visit a Web site, injects itself into your browser and intercepts traffic between you and the Web sites you visit. That means anything you type is seen (unless it's encrypted, which most reputable bank and shop sites are). But it can also redirect you to malicious Web sites that look like real Web sites, which can download more malicious code to your PC. The net net? Play with Gumblar and you can lose your identity, unwittingly attack other computers, definitely lose money and maybe lose your mind! (“Mom, Gumblar won't stop hitting me!”)
Seemingly contrary to its spunky, extroverted name,
Gumblar won't announce itself when it hits your computer. So you've got to go digging. The CNET friends give this advice (as reported by Elinor Mills):
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
You can also just, you know, "do a full reformat and reinstallation" of your operation system
That would definitely test your right brain in a way that Cranium can't. If all this sounds like less fun than a long game of Monopoly, may I and my Check Point ZoneAlarm friends (and your grandmother) use an old adage? "An ounce of prevention is worth hundreds of megabytes of cure." In this case, that ounce ranges from 6 MB to about 70 MB depending on the Check Point product (ZoneAlarm ForceField and ZoneAlarm Extreme Security, respectively) but is smaller than the ounces you get from most other security companies. And in the context of, "not all protection is created equally," this happens to be an area where ZoneAlarm shines. Because we've got ForceField, baby!
If Gumblar, Conficker, Hungry Hippo or the red-nosed "Operation" guy try to sneak onto your computer, ForceField browser security - with less than a proverbial lift of a finger - is designed to redirect those jokers straight to a sandbox. But in this sandbox, nobody is allowed to play. Sorry, Gumblar! Meanwhile, we'll be gathering more data and will update you on the protection ForceField provides against Gumblar and its variants.