Throughout the Gumblar attacks, we've observed companion malware co-injecting the Gumblar-compromised pages. In this latest stage, the companion iframe is injected at the start of the source code. The location of the iframe prevents the pages from being easily discoverable via searches, because typically search engines don't index anything before the opening html tag.

The iframe pulls exploit code and malware from ncenterpanel.cn, a domain that has been associated with the Zeus botnet in the past.

Interestingly, compromised pages are also being injected with external source references to the malware contained on other compromised sites. Those who followed last week's report of the newest Gumblar technique will recall that unlike traditional compromises which simply inject pointers to malware hosted on an attacker-owned domain, in these attacks the compromised domain is also acting as host for the malware itself.

This method of attack complicates remediation via technologies that rely on blacklisting because the number of compromised websites (now acting as malware hosts) is in the thousands. It also makes the Gumblar compromised websites a triple threat - potentially exposing visitors to the malware contained on the compromised site, and the malware loaded from ncenterpanel.cn, and the malware loaded from other compromised sites.