The malware attack, covered in our weekly brief last week, is known by some as Gumblar and by others as JSRedir-R. It installs malware on a victims' machine that locally modifies Google search results, replacing the legitimate results with links to affiliates' pages. This is presumably a money-making tool for the customers that pay the malware gang to distribute the attack.
The malware was originally delivered from a server with a Latvian IP address, according to managed security firm ScanSafe. A script inserted on hacked legitimate websites would force them to connect to the server, delivering a drive-by download to the victims' machine.
Google got wise to the technique, and began de-listing servers that had been infected with the script, but the hackers responded by issuing a more complex, sophisticated script that was obfuscated to avoid detection. This script pointed to the gumblar.cn domain, which delivers malware that takes advantage of unpatched Adobe PDF Reader and Flash applications.
Now, a second domain - Martuz.cn - has been identified, although the site was down all day yesterday, according to ScanSafe researchers, who mused that the attackers may simply be taking a break while the media attention cools. Infected sites pointing to gumblar.cn were up 7% overnight.
"This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits," said a United States Computer Emergency Readiness Team (US-CERT) advisory on the attack. FTP credentials could be used to inject the script into more sites, spreading the infection vectors.
Sophos said that the attack was responsible for 42% of drive-by download infections between May 6-13.