The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense. The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors' PCs, rocketed eight-fold in mid-May, according to an update posted to Websense's research blog on Friday. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites. Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar. "Their (site's transfer) logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster's correct userid and password," wrote Warner. "It wasn't a poorly chosen password, and it wasn't brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster's FTP password was known to the criminals." The attacks, dubbed "Grumblar" for the name of the site in China to which visitors were originally redirected, was first detected in March, spiked in mid-May, and has since declined. A malicious PDF file uploaded to victim's systems by Grumblar contains the phrase, "Boris likes horilka," according to Warner's blog. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software.