The Gumblar attack started in March with websites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the UK, ScanSafe said last week.
The domain was changed to martuz.cn before both domains were shut down. And now, the malware is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
"Fortunately, it appears the name servers themselves are being shut down," the company said in a statement. "However, even after Gumblar-related attacks subside, cybercriminals will still possess the botnet of infected computers obtained via Gumblar."
ScanSafe contends that Gumblar is worse than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network shares with weak passwords, as well as disabling security software and installing fake antivirus software.
Gumblar, which was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May, has more intrusive behavior — it intercepts and monitors web traffic, and installs a data-theft Trojan that steals user names and passwords from infected computers, ScanSafe said.
In addition, once a Conficker infection is remediated there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more websites, potentially exposing many more victims, the company said.
This article was originally posted on CNET News.