A prolific variant of the Gumblar Trojan has performed another vanishing act, disappearing suddenly from malware figures gathered by Kaspersky Lab.
The company’s statistics for April show that the Gumblar.x downloader was nowhere to be seen after being the most recorded piece of malware for February and March.
This is not the first time it has receded suddenly. After appearing in March 2009, Gumblar and subsequent variants went to the top of various company’s malware league tables by October, at which point it started to die out. By January 2010 it had disappeared altogether before surging once again, seemingly from nowhere.
Gumblar and its variants are effective and versatile pieces of malware, recording 453,000 infections detected by Kaspersky during February alone. Its main means of spread is to use compromised websites to serve malicious browser scripts, which redirect the PCs of infected users. It can also be used to steal FTP and other logins for websites.
It is not clear why the malware appears and disappears so suddenly. It is unusual for malware other than Internet worms to surge and recede in this fashion, but it is likely to be a technique to keep some of the compromised websites beyond the range of easy detection.
“Kaspersky Lab advises that this should act as a warning sign, as this is typical of Gumblar.x’s behaviour and is reminiscent of events reported by the company in February,” says the company advisory.