Scansafe, the largest global provider of Web Security-as-a-Service, reported that a stealthy malware called Gumblar targets users of Internet Explorer and forcibly redirects Google search page results to compromised pages. It also steals FTP details of victims and creates a backdoor on the system. It is named for the domain involved in the attacks.

“The stolen FTP credentials are then used to further compromise any Websites owned or operated by the victim,” Mary Landesman, senior security researcher at ScanSafe, told eWEEK. “As a result, there is exponential growth of these compromises—as more victims are infected by encountering a compromised site, the number of compromised sites also increases and thus more visitors are exposed.”

Landesman told, “Gumblar attacks have jumped nearly 188 percent over the first week of May.” The report also says that more than 1,500 Websites including, and have been attacked in the first week of May.

The goal of the malware is to siphon dollars from Google’s highly profitable advertising franchises, by replacing links in the Google’s search results page with those of the attacker’s choice.

The attacker has made exploit code unique for every website, so it has become hard to identify a compromised site until it is surfed. Actually, the malware embeds malicious Javascript deep into a website’s source code that exploits the bug in a visitor’s Adobe Flash and Reader programs and makes the victim join a botnet that manipulates their Google search results. So users are advised to make sure their patches from Adobe Systems are up-to-date.

A Google spokesman told that some compromised sites associated with this exploit may include a warning, saying “this site may harm your computer” associated with their search results listing.