Around 40,000 websites have been infected with the ‘Beladen' attack.


Resembling the Gumblar attacks that were reported by ScanSafe last month, the most recent Beladen compromises are thought to result from stolen FTP credentials and it is believed that it is spreading rogue anti-virus, or scareware.


Mary Landesman, senior security researcher at ScanSafe, said: “There has been blog and media reports of tens of thousands of sites compromised by, but as noted above these claims can't be substantiated by our own traffic logs. Google Safe Browsing Diagnostics, as of 1st June, has only seen compromises on a few thousand websites, which gels with our own findings.


The most recent Beladen compromises are thought to result from stolen FTP credentials. This is a common initial vector for many website compromises, particularly as the numbers of password stealing and data theft Trojans continue to increase.” 


The Beladen attack was first flagged by Websense Security Labs at the end of May, when it detected that a large compromise of legitimate websites was taking place with thousands of legitimate websites discovered to have been injected with malicious Javascript, obfuscated code that leads to an active exploit site.


A blog by Websense Security Labs claimed that there had been 20,000 infections, a number that has since doubled in size. It claimed that the Beladen domain attempts to infect PCs through older, vulnerable browser versions and third-party applications like QuickTime and Winzip.


MX Logic said: “Beladen and Gumblar appear to mark a new trend - mass compromises of websites that convert them into a type of botnet of infected sites, rather than botnets of hacked PCs.”