The Gumblar series of website compromises was the cause of 29 per cent of all web malware blocks in October 2009.
In its monthly Global Threat Report, ScanSafe revealed that Gumblar began leveraging its botnet of backdoored websites to host the malware which is dynamically constructed at the time of access.
Therefore different users, dependent on their browser type and other considerations, will be delivered different exploits and potentially different malware. ScanSafe claimed that this was especially worrying, as the malware is dynamically obfuscated, hampering detection via traditional signature strings.
Mary Landesman, senior security researcher at ScanSafe, said: “The implications of this are rather staggering. When a typical outbreak of website compromises occurs, there are generally only a few actual malware domains involved.
“In the case of Gumblar, conservatively there are at least 2,000 backdoored websites serving as actual malware hosts. As a result, there is no single or few points at which to target efforts to shutdown the source of malware.”
Landesman also claimed that in early November, it discovered that the backdoor left in place on the compromised websites by the Gumblar attackers was being leveraged by other groups of attackers meaning that the sites were under their control.
The report claimed that tens of thousands of compromised websites have had malicious iframes embedded and any visitor will be exposed to a collection of exploits designed to silently install the Gumblar malware.
ScanSafe said that on Windows systems, the installed malware loads when sound-enabled sites or devices are accessed and it also injects itself into the Internet Explorer process and intercepts all web traffic to and from the computer.
Also, any captured FTP credentials are sent to the attacker thus furthering the growth of the Gumblar website botnet.