Gumblar Botnet Ramps Up Activity

On the heels of having learned that Gumblar infected three Japanese websites late last year, MesageLabs Intelligence has tracked Gumblar’s latest activity which has been heavy over the past few days, especially on 17 January when it represented 25 percent of all malicious blocks.  Generally in January we have seen a small number of blocks each day: average blocks per day 46 (2.3 percent of malicious blocks).

Gumblar: malicious sites blocked by MessageLabs
Some general statistics
•    Since Feb 2009 MessageLabs Intelligence has made 36926 blocks of Gumblar on 4930 URLs across 2048 different domains
•    Originally the malware was served up via a malicious site called gumblar.cn in April 2009, and the threat was named after that.  Subsequently the same malware has appeared on thousands of domains, some set up with malicious intent to infect visitors, and some legitimate sites that have been compromised/changed so that they serve malware to unsuspecting visitors.
•    The most commonly blocked top-level domain for Gumblar is .com (48 percent), and most of these are legit compromised sites.
•    The next most common ones are .co.uk with 5 percent and .net with 5 percent.
Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services
According to Wikipedia, sites become infected using passwords obtained from site admins. The host site (continue reading...)