msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar/Martuz Aftermath

   26 May 09   Filed in Tips and Tricks, Website exploits

The Gumblar/Martuz epidemic is currently on decline. Comparing with the last week, this week Unmask Parasites registers only a small fraction of Gumblar infected web sites. And I don’t see any new script mutations.

“Martuz .cn” domain no longer resolve and “gumblar .cn” is defunct (the domain is currently parked). This has stopped the surge of new infections. And the increased global awareness helped webmasters identify the problem and get rid of it.

Recovered sites are still blacklisted

Nonetheless, I can still see that many websites recovered from the gumblar/martuz attack are still blacklisted by Google. Their Safe Browsing diagnostic pages say something like:

“Malicious software is hosted on 1 domain(s), including martuz .cn/.”

or

“Malicious software is hosted on 1 domain(s), including gumblar .cn/.”

Their search results are labeled with the “This site may harm your computer” warning. Many browsers (FireFox 3, Safari, Google Chrome) won’t let visitors browse those sites displaying the “Reported Attack Site” warning.

Looking at the last visit date on the diagnostic pages, I see that webmasters didn’t request a review via Google’s Webmaster Tools.

Just a reminder: If your site is blacklisted by Google, clean up the site and request a review. Here you will find all the information you need about it.

Malware review tips

I want to stress a few facts about the review process.

  1. Do request the review. It was noticed that it takes significantly longer to remove the warning if the malware scanners find you site clean without a review request from a site owner. When they know that the site owner is aware of the problem, the process becomes smoother and the warning can be removed in just a few hours after a successful review.
  2. Request the review as soon as possible. Although Google’s malware scanner can automatically visit your site, they are not as ubiquitous as Googlebot and it may take weeks before the next scheduled visit.
  3. Don’t be afraid to request the review even if you are not sure that your site is completely clean. If any security issues are detected during the review, they will be reported in your Webmaster Tools account. Then you can fix them and request another review.
  4. Don’t delete infected web pages. If Google reports specific URL as examples of web pages where malicious content was found, it expects to find these pages clean during the review. If the pages cannot be found, it may be considered as if they were temporarily removed just to pass the review. If you don’t need specific pages, try to empty them (you can remove them after a successful review) or configure your web server to return the 410 Gone error. (This information is not from official Google’s sources. It’s based on my own observations)

Strive for complete recovery

And a few more words to owners of websites recovered from the gumblar/martuz attack. If you requested the review, but it came back with a warning that your site is still infected, the chances are you haven’t removed the malicious code from all files.

This attack was very sophisticated. It modified many files, created backdoor scripts and changed directory permissions.  Even if Unmask Parasites doesn’t detect any suspicious scripts in your web pages, the site can still be infected if you didn’t clean external .js files (they are not checked by Unmask Parasites). You can find more details about the exploit and what it takes to get rid of it in this article. Make sure to read comments – they add much value to the article.

Similar posts:

Reader's Comments (10)

  1. |

    Hey Guys. I really need help. Can anyone tell me how to find this martuz.cn script in my website files? Its horrible for business.

    Edit by Denis: Site address was removed from your signature. It still contains malware.
    http://www.UnmaskParasites.com/security-report/?page=nriinternet.com

  2. |

    I was about to write an angry letter to you when I found this article.

    I have made several “request a review” but Google still has the site as listed suspicious. There is no external js file, the site is clean by unmaskparasites as well as safe by AV like AVG. Google was not listing any sample page as infectious in the inbetween days, after the 3rd or 4th review request it did list one page which is clean by any standards.

    It may be well worth considering that logarithms or techniques adopted by Google need serious review ( like many of their bad policies are under scanner and Google has been discarded by many too ). Blocking pages on browser like FF is like evil dictatorship, which very small noncommercial website owners cannot fight.

    May be unmaskparasites should judge by its own technique and discard what Google says. I think unmaskparasite judges better and in useful way because when unmaskparasite actually detected an inline script google was saying things were safe when it was not.This is documented and this is serious : Google has no reliability.

    Are there any tips so that visitors using FF or Chrome can actually deactivate and so some browsing comfortably? Most users have their own AV with webshield which works practically and usefully.

    IE 7 now seems a lot more safer and comfortabler to browse not bogged by these nuisances.

  3. |

    I find it interesting that while you write
    ““Martuz .cn” domain no longer resolve”
    Google finds “The last time Google visited this site was on 2009-06-02, and the last time suspicious content was found on this site was on 2009-06-02.”

    Its serious that either Google corrects its techniques or we discard it.

  4. |

    Hi Denis! If you said to me, I have read all comments. Google continues to mark clean page as bad, as also shows that as sample page which has nothing.

    Googles technique seem to be severely flawed as they marked certain stuffs safe when unmaskparasites was catching those inline susp. things.

    Moreover did you read my above comment that Google still finds a domain containing bad things on a date when already that domain has vanished ( or not resolving )

    • |

      Hi,

      I read every comment. Ijust don’t have time to respond to them as I’m moving my blog to a new server.

      The import didn’t went smoothly and comment threads got broken.

      Regarding Google Malware warnings: they are usually very accurate but sometimes are not very current (you should check the date on diagnostic pages).

      Even if a domain no longer resolve but you site contains code that load tries to load something from that domain, your site is considered potentially dangerous since the malicious domain can be reactivated any time.

      Don’t rely on Unmask Parasites too much though. It just highlights suspicious things but in some cases they may be legitimate. It’s just an advice to a webmaster to take a closer look at highlighted items.

      • |

        “but sometimes are not very current ”

        If they are not current, they are screwing up everything like blocking users to visit a clean site!

        “Even if a domain no longer resolve but you site contains code that load tries to load something from that domain”

        It was not about another site but that non-resolving domain itself. Google finds a domain that does not resolve and finds malware in it too !! It is not that they say “Hey, though this site does not exist now we found this site bad in past !”

        it would have been ok if Google kept the mess within themselves but they are spreading it like anything blocking many users to visit clean, legit sites with NONCURRENT information or very flawed techniques

  5. |

    We found an iFrame tag right after the opening body tag.

  6. |

    [...] されている場合の解除方法が Unmask Parasiteに記載されていました。 Gumblar/Martuz Aftermath ————– [...]

  7. |

    [...] to the company attackers are using viruses called ‘Gumblar‘ and ‘Martuz‘ to target website [...]