Reader Ben sent an email reminding me that I must have been living under a rock to miss the sudden uptick in Gumblar/JSRedir-R drive-bys.
Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival.
Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials.
Update: Holger informed the ISC that the dropbox for this trojan, gumblar.cn has been offline since last friday, but a successor has come online, martuz.cn.
-- Rick Wanner - rwanner at isc dot sans dot org
May 18th 2009
1 decade ago