QuoteUS-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.
http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating (http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating)
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133239&taxonomyId=17&intsrc=kc_top (http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133239&taxonomyId=17&intsrc=kc_top)
-----
Andrew Martin has partially deconstructed and analysed Gumblar, you can see the results of his work at the following link:
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/