The Gumblar/Martuz epidemic is currently on decline. Comparing with the last week, this week Unmask Parasites registers only a small fraction of Gumblar infected web sites. And I don’t see any new script mutations.
“Martuz .cn” domain no longer resolve and “gumblar .cn” is defunct (the domain is currently parked). This has stopped the surge of new infections. And the increased global awareness helped webmasters identify the problem and get rid of it.
Nonetheless, I can still see that many websites recovered from the gumblar/martuz attack are still blacklisted by Google. Their Safe Browsing diagnostic pages say something like:
I usually suggest that you should use FireFox with the NoScript plugin for safer web browsing. This combo will save you from most web threats. Just remember one rule: Never use the “Allow this page” and the “Allow Scripts Globally” options.
NoScript is also a great helper in revealing tricky website exploits.
Let me use the “Telegram .com” case to show how I use it. Continue »»
Building sophisticated websites is pretty easy these days. Whatever you want (blog, forum, eCommerce solution, picture gallery, video sharing site, or even your own social network) – there is a free third party script that you can use to build your site in a matter of hours.
However this ease comes at a price. Unfortunately, no software is perfect. Hackers have a great incentive to find vulnerabilities in popular scripts – if they find a security hole, they can exploit thousands (and sometimes even millions) of websites that use the buggy script. And the fact that most popular script are free Open Source software helps hackers immensely.
Some time ago I had a series of post about the .htaccess exploit that redirected search engine traffic to bogus Antivirus sites.
This sort of exploit is still very wide-spread. Many site owners wonder why Google blacklists their sites when their web pages are absolutely benign and sites mentioned on Google’s Safe Browsing Diagnostic pages have absolutely nothing to do with their site’s content.
Here is an excerpt from a typical Safe Browsing Diagnostic page for an affected site:
Malicious software is hosted on 5 domain(s), including best-antimalware-pro-scan .com/, fastantimalwareproscanner .com/, fullantispywareproscan .com/.
4 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including module-antispyware .info/, securedradiostation .cn/, great-antispyware .info/.
When I see multiple antivirus-related domain names in the diagnostics, I almost sure the site has a hacked .htaccess file that redirects search engine traffic to scam sites. Still I need to verify my guess.