I just wanted to make sure you guys are aware of the Gumblar / Martuz website exploit that is running rampant over the past week and particularly this weekend.
It does a drive by download attack through un-patched vulnerabilities on Windows machines with version of Windows prior Vista (NT 6). It seems to be using vulnerabilities specific to known exploits in flash and acrobat. It not only makes the infected users pc part of a botnet but also scrapes ftp username and passwords and then injects the malicious JavaScript into the users sites. This trojan may change Google search results and redirect to other malicious sites. It also installs a backdoor that connects to 78 .109 .29 .112 and now after its recent mutation into martuz, 95.129.145.58 (Firewalls should be configured to block these IPs).
Sophos is calling it the JSRedir-R script and according to them, last week, this threat blew all previous web based malware out of the water:
Here is some coverage about it:
http://blog.scansafe.com/
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
You can check if sites are infected using this tool: http://www.unmaskparasites.com/
You can check if you pc is infected using some malware detection software like or Malwarebytes or SpyBot. If you are infected, start with you own pc. Get it clean and get your software up to date, especially windows, flash and acrobat. Then change your ftp passwords and restore your site from a backup. Once you do this, check your sites and pc again. If you’re still infected, lather, rinse, repeat.
To prevent getting re-infected consider using the Google Chrome browser or Firefox with the NoScript Extension