Avast has released a new analysis of the latest variant of the Gumblar ( which Avast refers to as Kroxxu) malware. This analysis and the media coverage of it contains some misleading information about the malware.
Some of the media coverage has claimed this new or newly detected, but this variant has been around since October of 2009 and was detected at the time.
Avast refers to infected servers, but the malware does not affect the servers at all instead affecting individual websites hosted on a server. This is an important distinction because on shared servers Gumblar would not infect other websites which it does not have FTP credentials for. Avast claims that there is “difficulty in removing” it, which is not true. If a clean backup is available the website can simply be reverted to that. If that is not available the malware code needs to be removed from the files, which is no more difficult than any of malware added to websites. More sophisticated malware does infect the server itself, making it more difficult to clean.
Avast also emphasizes that the infections have remained on websites for long periods of time, which is true, but this is not out of the ordinary for website malware.
While it is difficult to measure the size of website malware infections, Avast currently claimed and historical size is not above the level of many of the larger malware infections.