Security maven Mary Landesman is in the midst of piecing together a who-done-it involving the infection of hundreds of websites that are generating an enormous amount of traffic. Or maybe it's a how-done-it. Either way, she's mostly drawing blanks. Landesman is a researcher for ScanSafe, a company that monitors the web surfing of employees at large companies and provides them with real-time intelligence about what sites are spreading malware. When a client visits a site that has already attacked someone else, the service automatically blocks the site from loading in the end user's browser. Viewing some seven billion web requests per month, company researchers see a fair amount of internet gremlins. Over the past four days, 15 per cent of the blocked malicious traffic has come from just a few hundred sites, which appear to be legitimate ecommerce destinations that have been compromised by attackers. This prompted Landesman to do some digging, and what she uncovered is unlike anything she's seen before. For one thing, the sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads.

Ed.note: People are linking Apache/PHP as Linux because all of the affected sites were running Linux! They have obviously not read over the WHT postings which detail those affected and whose servers have been exploited to serve this junk. What's more - it's not an Apache or PHP exploit (though some application layer stuff may have been used for the initial compromise), it's a rootkit which has buried itself deep down at the kernel. From what I've read it looks like there might be an unpublished flaw in cpanel (though I'm sure I've heard before that there are some lesser known exploits in cpanel) which allows an attacker to gain root on the box and install the rookit.