A Websense study demonstrates that the much discussed Gumblar virus, which steals FTP data in order to hack websites and contaminate users, is still highly active. In mid May the number of contaminated website increased explosively, from less than 3,000 in the first two weeks to over 80,000 infected websites on 17 and 18 May. By now the number of hacked websites has decreased to about 50,000 domains.
One of the contaminated PDF documents that is used for infecting visitors contains the text “Boris like horilka”. Horilka is Ukrainian for Vodka, says Gary Warner. In addition to an exploit for Adobe Reader the attackers also use a well-known exploit for Adobe’s Flash Player. Hundreds of thousands of Internet users may have visited the harmful domains.