return of the gumblars

A few weeks ago one of our client's sites was hacked. The hacker ran a script on another, presumably unsuspecting site, that installed the nastiness on our computers. You can read about this new type of gumblar attack here: http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/

This method went right past our MalAware-AVG-Adaware-Firewalled systems. The article above explains a bit why that is possible. Now we are using a FireFox plug-in called NoScript that I highly recommend. It gives you the option of running scripts found on a website - if you notice scripts being run on other sites that have nothing to do with your current page you can stop them.

However, what was most interesting to me was the recovery.

One of our machines is a MS XP install, purchased from good ol' Tech Soup. Recovery was straightforward as described in this article:

http://support.microsoft.com/?kbid=307545

The other computer, my working laptop, was another story. It is a Dell with an OEM installed XP. The above article did not help, just as they promised in their preface. In fact the only way to get my machine back was a full reinstall from the OEM disk. Painful since I had all sorts of software installed for work that had to be reconfigured. No data was lost.

I had no idea that OEM operating systems were so mangled as to cause this type of problem. Something to watch out for. I think that when I buy a system with an OEM installed OS i will just overwrite from the beginning with a clean MS version, purchased from TechSoup of course....

bryan forst

I have used NoScript for a long time, but I have not tried to overcome barriers to to getting the whole office to use it. What is the best way to approach this inertia, which has at least three components:

I may be wrong, but it seems that Firefox addons work only for the user who installs them, so I don't know how to install NoScript for users except when they are logged into the local network. This problem is probably compounded by the fact that almost everyone in the office uses various computers, so that I might need to get NoScript installed on many computers for each user.

Then there is some (probably small) resistance, among people accustomed to Internet Explorer, to using Firefox; I recognize, but I have overlooked the relative security issues with IE.

Then, if users will faithfully convert to Firefox, and if I get NoScript installed for everyone, it is an extra bit of trouble for the users, and I felt it would tend to drive people away.

NoScript isn't very easy for users to understand, so I agree with you Jesse.  I see two things you could do.  Try to change the culture and educate the office - it will actually do good for them in the office and at home as well.  Or, you could install something on the network level that would prevent this sort of thing.  Astaro Security Gateway web filtering would protect against this - not sure what other competitor products might be able to do (disclaimer, my company resells Astaro products - but we use them too and the intrusion protection system is really good).  So might using OpenDNS (unless the script attack was using a dotted IP address instead of an FQDN).