Gumblar Tops Google's Malware Domain List
Yesterday, Niels Provos of the Google Security Team posted a list of the top ten malware domains (based on the number of compromised websites referencing the malware domains).
Gumblar.cn topped the list with 60,000 compromised websites detected. Martuz.cn, the third stage of the Gumblar attacks, was in the number two spot with 35,000 compromised websites referencing that domain.
(It's assumed, but not known, that the 35,000 martuz.cn referencing sites are included in the 60,000 gumblar.cn referencing sites. If not, that makes the Gumblar attack numbers just that much higher).
Conversely, Beladen.net was pretty far down the list at position 124 with approximately 3,500 compromised sites, according to the Google report. This contradicts claims from Websense and others placing the number of Beladen compromised sites as high as 40,000. Beladen compromised sites accounted for only .03% of ScanSafe Web malware blocks in May 2009, compared to Gumblar compromised sites at 37%.
Mary Landesman
Reader Comments (1)
A scan by Spyware Doctor identified a possible infection by Gumblar. When I used Filealyzer to attain the SHA1 number for the file sqlsodbc.chm, I was unable to find a match with the numbers or file size provided on your ScanSafe STAT Blog. Now, since there was no match (and I used the Search tool on your STAT Blog to do this), does this mean that my computer is infected with this trojan? If yes, what do I do about it now? A McAfee virus scan of the sqlsodbc.chm file did not reveal that it was infected, and Spyware Doctor was unable to remove it. However, Spyware Doctor's quarantine archive did show two files, but their file names were given as Adware.MegaSearchlsd6 and Backdoor.Bandok, and neither were quarantined today.