Websense Security Labs ThreatSeeker Network has detected a consistent decrease of sites infected with the malicious code over the past five days. It claimed that the decrease in infections is highly suspicious, and it believes that the infected hosts are still under the control of the attackers. Websense said that it suspected that those behind the infections might be automatically removing the injected scripts, getting ready to launch a new injection campaign soon. Meanwhile, Trend Micro claimed that analysis of the recent Gumblar attack that compromised thousands of legitimate websites was done through accessing web server files through stolen FTP credentials gathered by one of the final malware payloads of the same attack. It had been rumoured by ScanSafe, who originally reported on the attack, that this was the case, but it was not confirmed. Technical communications spokesperson JM Hipolito claimed that an infection chain initiated by the malicious scripts HTML_JSREDIR.AE and HTML_REDIR.AC end with the download of TSPY_KATES.G into the affected system. The data-stealer, TSPY_KATES.G installs itself as a driver on the affected system and monitors network traffic. It also steals FTP account information, which includes usernames and passwords. Hipolito said: “Also, as opposed to SQL injections, inserting malicious scripts by actually accessing web server files are relatively harder to detect. Web administrators, most likely learning from last year's string of mass compromises, are already keen on watching the typical areas in websites where malicious scripts are possibly injected. “However, unauthorised access by cybercriminals would enable them to place the malicious scripts where they won't be noticed, and in as many areas of the website as they want. This may explain the occurrence of malicious scripts in multiple pages of websites compromised by Gumblar.”
Via this, Trend Micro claimed that Gumblar was able to compromise more sites than when it initially launched the attack.
Beladen infections plummet
The number of sites infected with malicious code inserted by the Beladen injection has dropped significantly.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
.png&h=140&w=231&c=1&s=0)
Partner Content
Elastic's Open Source Strategy Drives Innovation and Expansion
.png&h=140&w=231&c=1&s=0)
Partner Content
Machine identity a key priority for organisations’ security strategies: CyberArk
Partner Content
What Embracing the AI Platform Shift Really Means
Partner Content
ElasticON Sydney 2025: Deriving value from your data with Search AI
Sponsored Whitepapers
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
