Troj/JSRedir-AK morphs into Troj/JSRedir-AR

On Friday, while researching the blog on Troj/JSRedir-AK I noticed a website with an infection of Troj/JSRedir-AK and a new piece of malware (Troj/JSRedir-AR).

Like Troj/JSRedir-AK, Troj/JSRedir-AR has two distinct forms:

  • injected into HTML files as a malicious <SCRIPT> tag
  • the other appended to JavaScript files

The Gumblar team appears to have replaced the Troj/JSRedir-AK infections with Troj/JSRedir-AR. Over the weekend Troj/JSRedir-AR was ~20% of infections to Troj/JSRedir-AK of ~8% (NB the JS/Sinowal-Gen at ~2%).

[From 2010-01-22 08:00:00 to 2010-01-26 10:00:00 PST (GMT-8)]

Interesting over at Unmask Parasites. Blog. they also noticed this change.

It looks like this month my colleagues and I will be playing cat and mouse with the Gumblar team.