20,000 sites hit with drive-by attack code

According to a warning from Websense Security Labs, the sites have been discovered to be injected with malicious JavaScript, obfuscated code that leads to an active exploit site.

The company discovered that the active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com).

This is unrelated to the Gumblar attack, Websense said.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site has been seeded with several different attacks targeted unpatched software vulnerabilities.  The malware that gets loaded on compromised Windows machines is linked to scareware/rogueware (fake security applications).

Malware purveyors have increasingly turned to legitimate Web sites to launch attacks, using SQL injection techniques to compromise and hijack high-traffic sites.

According to data from MessageLabs, about 85 percent of Web sites blocked for hosting malicious content were 'well-established' domains that have been around for a year or more.