Gumblar Website Botnet Awakes

[SysAdMini]

http://blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html

Remember last May when we suggested that Gumblar was building a botnet of compromised websites? It appears that Gumblar is now using those compromised websites as hosts for its malware.

In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site. But in this case, the malware resides on thousands of legitimate (but compromised) websites.

The path/filename of the malicious .php file on the compromised site is identical to an already existing path/filename of a legitimate and already existing file (usually .gif or some other image type).