Approximately 230 U.K. Web sites have been infected with malware that is being delivered dynamically, according to security vendor ScanSafe.
The malware being delivered ranges from backdoor Trojans to rootkits, said ScanSafe researcher Mary Landesman.
"Even though the hosts are working diligently, their systems are being recompromised repeatedly," Landesman told ZDNet Asia's sister site ZDNet UK on Thursday. "This is not just a matter of wipe and restore. The attack is extremely sophisticated."
The complexity lies in discovering how the hosting companies are being infected and reinfected, said Landesman, who declined to name the companies involved. ScanSafe is in the process of investigating the infection process, with security researchers from SecureWorks.
The researchers initially suspected reinfection to be the result of a rootkit-enabled Loadable Kernel Module planted on the host servers. However, Landesman said this is now looking less likely, as a number of the hosts rebuilt their Apache kernels, and suffered reinfection.
"There could be some underlying compromise, but a rootkit on the server is seeming less likely," said Landesman. "There could be a rootkit or backdoor on a managing workstation in the host."
"Once they are in the door, the attackers are leveraging the promiscuous behavior of modules on Apache servers to accept and run scripts--they're responsible for controlling the impact of malware we're seeing on the Web sites," said Landesman. "The scripts are randomly generated."
Another piece of the puzzle is the high amount of traffic to infected sites, which ScanSafe describes as "unexpectedly high".
While 230 predominantly U.K. sites are known to be infected, exact numbers of infected sites and hosts are difficult to gauge, said Landesman.
Another alternative is for users to scan search results using free tools such as ScanSafe's Scandoo beta, the company said.