Hi malware fighters,

The source of the latest Javascript is gumblar.cn,
http://www.robtex.com/dns/gumblar.cn.html
which has a Moscow IP address that reverses to ukservers.com.
ScanSafe has more details
here: http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html
and here: http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

This is the source file to infect websites.

In each “Images” folder in your site it will copy a php file “image.php” .

Before removing the script from pages,
you must rewrite a same file instead of image.php and change the permissions.

Then remove the scripts.

If your site gets the iframe version as fast as you can,
you must remove the iframe then replace the image.php.

Because google may consider your site as a harmful site.

Good news is that .asp files won’t get this virus.

Another thing is that,in cms sites it changes the permissions of template folders!!!

Script to identify infected files:
http://www.blog.isra3l.net/?p=184

A script for automatically removing the trojan from a website:
http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/

polonus

[b]Live.com poisoning - Gumblar/Martuz isn't the only infection around .....[/b]

http://hphosts.blogspot.com/2009/05/livecom-poisoning-gumblarmartuz-isnt.html

Hi YoKenny,

Just to show how international this is, re: http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
What I also found when delving into this how hard it could be for the web admins to find the attack code hidden sometimes inside manipulated images or inside manipulated and randowmnly obscured PHP-code. The attackers know every trick in the book. Allthough websites with attackable content is around that much, the code on a particular website can stem from various domains (that is why I propagated RequestPolicy add-on for the Fx browser from day one the extension came around), if something that you redirect to changes its act through manipulative insertion of malcode ,and if not alterted otherwise by scanning for attack code, cleansing can take as long as 50-60 days (sometimes a question of cost, where to slowly overwrite data is the most cost effective method, but least secure option. Well, days of crises are boom-times for cybercrime).
The cybercrimninals from gumblar & co are seeking a somewhat lower profile now, because of the media attention, maybe they need some cool-off time, but others will try to jump the botnet controlled hole, there are enough older and newer flash, adobe, and other vulnerabilties around to abuse, and also enough website owners and webmasters that missed their security bootcamp training, if not they loose from their adclick income through these attacks,

polonus