"The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites," the report says. "This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign."
The report indicates the exploit had infected some 20,000 sites, but researchers this afternoon told reporters the figure is now closer to 40,000.
Like Gumblar, the attack redirects users who conduct searches on popular Websites and search terms. The browsers are routed through a statistical server and then onto the Beladen.net site, a well-known carrier of malware.
Websense researchers suspect the exploit might be driven by the Russian Business Network, which is the home of the first statistical site that users are redirected to.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.