Security firm ScanSafe reported that a number of pages connected to the Gumblar attacks in May had been serving malware to visitors.
The company noted that the attacks were unique in that rather than infect the pages to link to a single attack site, each of the compromised servers is hosting the malware on its own.
In addition to the compromised pages, the botnets operators have inserted a script that redirects users to the attack sites into a number of web forums.
"The majority of the compromised websites are small mom and pop style websites in non-English speaking countries, but that's not important because the attackers have a clever trick for driving traffic directly to the malware hosted on those sites," noted ScanSafe senior security researcher Mary Landesman in a blog posting.
First appearing in May, the Gumblar attack gained notoriety in the security world for the speed at which the malware was spreading. The attack compromised not only the target system, but also checked the machine for FTP credentials which were then used to target other pages for infection.