Around 230 UK-based Web sites have been hit by a new form of malware that is being delivered dynamically, security vendor ScanSafe says.
The malware being delivered ranges from backdoor trojans to rootkits, said ScanSafe researcher Mary Landesman.
"Even though the hosts are working diligently, their systems are being recompromised repeatedly," Landesman told ZDNet Australia sister site ZDNet.co.uk last week. "This is not just a matter of wipe and restore. The attack is extremely sophisticated."
The complexity lies in discovering how the hosting companies are being infected and reinfected, said Landesman, who declined to name the companies involved. ScanSafe is in the process of investigating the infection process, with security researchers from SecureWorks.
The researchers initially suspected reinfection to be the result of a rootkit-enabled Loadable Kernel Module planted on the host servers. However, Landesman said this is now looking less likely, as a number of the hosts rebuilt their Apache kernels, and suffered reinfection.
"There could be some underlying compromise, but a rootkit on the server is seeming less likely," said Landesman. "There could be a rootkit or backdoor on a managing workstation in the host."
"Once they are in the door, the attackers are leveraging the promiscuous behaviour of modules on Apache servers to accept and run scripts -- they're responsible for controlling the impact of malware we're seeing on the Web sites," said Landesman. "The scripts are randomly generated."
Another piece of the puzzle is the high amount of traffic to infected sites, which ScanSafe describes as "unexpectedly high".
While 230 predominantly UK sites are known to be infected, exact numbers of infected sites and hosts are difficult to gauge, said Landesman.
Another alternative is for users to scan search results using free tools such as ScanSafe's Scandoo beta, the company said.