Gumblar, known in Japan as Geno, is a unique botnet - it not only creates a botnet of compromised PCs, it also backdoors compromised websites enabling continued remote access and manipulation. Gumblar was first discovered by ScanSafe researchers in March 2009. Gumblar spreads by injecting malicious iframes on compromised websites. Visitors to those websites are then silently delivered exploit code which, if successful, downloads the Gumblar backdoor to the susceptible PC.
What is a Botnet?:
A botnet is a collection of compromised (infected) computers under the collective control of remote attackers. The malware on the infected computer is known as a bot, a type of backdoor or remote access trojan (RAT). Bots communicate with botnet command and control (c&c) servers, enabling the remote attacker to update existing infections, push new malware, or instruct the infected computer to carry out specific tasks. In general, the presence of the bot gives the remote attacker the same abilities as the legitimate logged in user.
More About Gumblar:
Gumblar steals FTP credentials from infected PCs, sending the stolen credentials to remote attackers. These attackers then login to any websites owned by the victims, injecting those websites with hidden iframes and thus expanding the net of compromised and now infectious websites.
Gumblar was the most prevalent Web-delivered malware in 2009. Gumblar delivers companion malware along with its backdoor. In October 2009, Gumblar began delivering variants of the Zeus trojan, used to form Zeus botnets.