Blog

Dealing With Gumblar and Martuz

Posted by Noxwizard in Support on May 22nd, 2009

In the past few weeks, a Trojan (Troj/JSRedir-R) has become the most prevalent malicious infection to ever hit websites. According to Sophos, this Trojan accounts for 42% of all infected web pages in the past two weeks. This Trojan typically targets PHP sites, and is not caused by a vulnerability in the scripts you run. Once the Trojan is on your local computer, it searches for FTP credentials and then uses them to modify the files on your website. FTP clients that store their passwords in plaintext, like FileZilla, are particularly vulnerable to this.

Checking for Infection

The first sign of infection will be either your antivirus alerting you, or your browser stating that your webpage contains harmful content. The latter is no longer a valid sign as the new variant of Gumblar, Martuz, will not show the malicious content to browsers like Chrome and Safari. Should neither of these appear, you should view the source of your webpage to look for the malicious javascript. The code is usually added immediately before the <body> tag, and it starts as: (Note: The variable names may differ from site to site)

Code: Select all
(function(jil){var xR5p='%';eval(unescape(...

The Gumblar and Martuz Trojans do not target just .html files, they affect PHP and JS files as well. The malicious code is typically added at the very top or very bottom of PHP files and is either an echo printing out the javascript, or a PHP script that starts as:

Code: Select all
if(!function_exists('tmp_...

If you have found one infected file, there will be more. The easiest way to find all of the infected files is to use a Diff tool and compare your files against a clean copy.

Removal

Since this is caused by a Trojan on your own machine, that is the first place to start. Scan your computer with antivirus and antispyware tools. Once it has been removed, change all of the passwords on your website (FTP, control panel, etc..). Then you can begin cleaning your website. Since the effects are typically widespread, the fastest and most effective way to clean the files are to delete all of them and restore them from a backup. For sites that have MODs installed on their boards, and have no backups, this will be a very tedious process.

Protecting Yourself

The best way to protect yourself from attacks like these is to keep your antivirus and antispyware software up-to-date. If you don’t have that software, then you should get it. When uploading files to your server, you should try to use an SFTP or SCP connection if your host has it available. If you are using FTP clients that do not encrypt their passwords, be sure to not save your FTP credentials.

More Information

More information can be found here:
Gumblar.cn Exploit, 12 facts about this injected script
A few more facts about the gumblar attack from sophoslab and scansafe
Martuz.cn is a new incarnation of Gumblar exploit

17 Responses to “Dealing With Gumblar and Martuz”

Posted by Jabe on May 22nd, 2009 at 8:38 am:

So what is the best way to encrypt Filezilla passwords? Or use SFTP or SCP? Do you have any tutorial?

Posted by Pascal24 on May 22nd, 2009 at 6:51 pm:

Thanks for this important and interesting blogpost, yeah sadly you hear this more and more, so its good that some attention is posted here.

Security begins always by yourself so its important that you keep yourself uptodate, having the newest virus library and downloading safe files from the internet is always recomended.

Posted by Dog Cow on May 22nd, 2009 at 10:09 pm:

This is the first time I’ve heard of this. Sounds like more Windows garbage.

Posted by Noxwizard on May 23rd, 2009 at 4:26 am:

So what is the best way to encrypt Filezilla passwords? Or use SFTP or SCP? Do you have any tutorial?

I don’t use FileZilla, but as far as I know, you can’t encrypt them. This was a design decision of theirs for FileZilla 3.

Or use SFTP or SCP?

There wasn’t an “or”. If you have it available, use it. If you don’t know if it’s available, then ask your host. It does not protect the passwords stored on your machine, it protects the connection that you establish.

Specifics pertaining to particular clients should be asked at the software’s site, it is beyond the scope of this article.

Posted by Keith on May 23rd, 2009 at 12:51 pm:

I take it keeping up to date with antivirus definitions should be enough to protext my FileZilla passwords and FTP to my site? Hope so!!

Posted by Dan27 on May 23rd, 2009 at 4:30 pm:

hmm well i am running a virus check now, but hopfully there is nothing, from now on i am not going to any unknown sites…

Posted by Pony99CA on May 23rd, 2009 at 11:01 pm:

This is the first time I’ve heard of this. Sounds like more Windows garbage.

I use Windows, read some security news and this is the first I’ve heard of it, too.

As for being “Windows garbage”, who knows? The article didn’t tell how it was spread, what the effects were (other than uploading itself to your Web site) or other useful facts. I guess I’ll have to check the links out.

Posted by ameeck on May 24th, 2009 at 1:31 pm:

Generally saving a password on your PC will always make it prone to be deciphered and stolen.

The most important thing here is to ensure your PC is clean and the connection is secure (SFTP and SCP is what you need here).

Posted by Dog Cow on May 26th, 2009 at 9:10 pm:

From reading just this blog and the first link which was listed under “More Information,” here’s my impression of how this is spread:

1.) Someone first made a web site which hosts Windows PC software, such as some executable file.

2.) The way this spreads is that you go to a site which has this software, and some combination of Javascript/ActiveX/whatever gets this executable downloaded to your PC, where it executes itself.

3.) This program then looks for any FTP clients on your PC hard drive which have stored passwords and log in details.

4.) If this program finds some, it connects to an FTP server, and looks for .php or .html files and modifies them to add the same combination of code mentioned in Step 2.

5.) It then saves these files to your server, so your site is now infected, and someone else visits and starts again at Step 1.

6.) The program then goes on to do whatever else on your PC… I don’t know.

Posted by Sterix on May 26th, 2009 at 9:46 pm:

The scum who write these Trojans and viruses want stringing up by their never-regions, every inch of their skin flayed from their bodies, and their hands sawn off with a dull-bladed bread knife. They are the lowest form of life on this planet – even lower than politicians and lawyers…

Posted by mtrs on May 28th, 2009 at 6:51 pm:

On 3rd April, I visited a website which gave alarm by opening strange files, something opening acrobat at my pc.
After that, the same thing happened to me, when I visited my site on 11st April, I found out this was malware. So, replaced my file backups from 20 March, and fixed. It was a real time consuming pain. I also use Filezilla and discovered later that how my site got infected. My antivirus software was not up-to-date either..

Posted by Techokami on May 30th, 2009 at 1:41 pm:

Okay, that’s for disinfecting user’s computers. Now how about something to clean up the spam these things make on forums?

Posted by Kent Komeri on May 30th, 2009 at 3:05 pm:

A little note: the “gumblar” is evolving …

Found evidence of 94.247.2.x is also being used to spread the infection.

Posted by iWisdom on June 3rd, 2009 at 11:22 pm:

Further reports seem to have indicated that Gumblar switches your network card into a different mode to capture packets send across your network, ergo it is capturing your FTP passwords not only from your computer, but from the others on your network as they are being sent.

If you do believe you are infected, then, you should not only check your system, but the other systems on your network.

Posted by Mike O'Brien on June 19th, 2009 at 4:49 pm:

I’ve got about 4 sites that are still infected and I will probably have to start over with them because when I look at the source code I can still see it even after I cleared it out of the header.php area and I’m not sure why its not gone . I also had to clear out the config.php file because of the if(!function_exists(‘tmp_… and a bunch of other files
and it still shows up on the source code, so I’m stumped and I’ll probably just clear it all off and start over. what a bummer it’s not easy with four different sites. Btw I use roboform to save my passwords and I wonder if that could of been the problem maybe it got a hold of my server password! Thanks for the topic!

Posted by marcel on July 21st, 2009 at 10:11 pm:

As of now I did the following.
-Format my drives. ( or clean them)
-I installed avast, instead of avg (avast detects the F*cker)
- I cleaned my site (downloaded it and got rid of the infected files (using avast))
- using back-up files, I restored my site
- uploaded it with filezilla ( I still need to read about a better alternative)
- and unchecked all the writing permissions for all of the files.

I am clean for a while now

Posted by OrentZenper on November 14th, 2009 at 11:10 am:

This site is very useful. Thanks for the information.

I am definitely bookmarking it.

Commenting is disabled for this blog post