Security researchers are warning of the latest malware exploits that seize on website flaws in an attempt to inject malicious JavaScript code and ultimately spread malware to unsuspecting visitors.

The malware exploit, called Gumblar has been spreading onto websites through stolen FTP credentials, vulnerable Web applications and poor configuration settings, according to an advisory issued by the U.S. Computer Emergency Response Team (US-CERT). Visitors to corrupted websites who haven't applied updates to various Web applications, including Flash Player and Adobe Reader, could become victims to a drive-by malware download.

"This malware may be used by attackers to monitor network traffic and obtain sensitive information," the US-CERT said in its advisory.

The attacks are not new, but researchers are trying to figure out exactly how so many websites became infected by the flaw, said John Harrison, group product manager for Symantec Security Response. Harrison said statistics from the Norton Community Watch, a program that collects security and application data from Norton antivirus users, logged about 10,000 attacks from the malicious Gumblar domain.

"From our perspective, there's been so many of these that it is really just another new one in a long line of ones," Harrison said. "Considering the number of attacks we saw and the number of different websites infected, this is somewhat small in comparison."

Symantec and other security vendors have been successfully blocking malware that attempts to exploit known Web application vulnerabilities. Security researchers have also detected most of the China-based Gumblar domains and have gotten them shut down to protect websites from falling victim, but according to Symantec, those behind the attack have recently switched domains to Martuz, malicious domains based in the UK.

"Drive-by downloads form mainstream websites are the number one way that consumers and users are being infected today," Harrison said. "It's easy for an attacker and unfortunately a lucrative way to try and get malware to do things on a website or to try and rig some of the advertising schemes that are out there."

As much as 60% of all websites have a serious flaw that are used by attackers to spread malware or gain access to sensitive data, said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. Grossman said the state of  website security is improving. But even high profile websites continue to be victimized by attackers, he said.

"Someone is going to find a way to get in," Grossman said. "That's why we've been talking about taking a multi-level approach to protect what you already have live and work with developers to improve coding before new sites are brought online."

In statistics released today, WhiteHat said websites its scans have a 65% chance of containing XSS bugs followed by information leakage and content spoofing errors.

{TECHTARGET}