Nine Ball infects over 40,000 websites

 

Gallery

By Matthew Sparkes

Posted on 17 Jun 2009 at 14:35

Over 40,000 websites have been compromised by a new attack called Nine Ball, warns security firm Websense.

The exploit attempts to install malicious code when a user visits one of the infected sites, including a keylogger and Trojans. It also evades investigation by security professionals by only allowing one visit - IP addresses are tracked, and repeating visitors are harmlessly redirected to Ask.com.

"If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code," warns Websense in an alert on its website.

"After redirection, the exploit payload site returns highly obfuscated malicious code," it says.

Nine Ball is the latest in a string of similar exploits to have been unearthed by the company, including Gumblar and Beladen, leading it to believe that the same people could be behind all of them.

"These Trojans have a very low detection rate," says Stephan Chenette, manager of security research at Websense, speaking to Network World. "Many are polymorphic or created on the fly."

Earlier this week it emerged that virus writers are increasingly taking advantage of large capacity and highly mobile USB flash drives to spread malicious code.