Another day, another massive attack that compromises the security of thousands of users. Just as we were getting ready to declare victory over Conficker (and settling in for a long battle with Gumblar), along comes Nine Ball, another difficult-to-defeat offensive that hijacks Web sites and tries to load malware onto a user's PC. The virus has a trick up its sleeve; repeat visitors to infected sites are dumped to Ask.com, a sneaky move that prevents security experts and investigators from being able to discover too much about the host of the malware.

According to Internet security firm Websense, Nine Ball has already compromised over 40,000 Web sites. The attack redirects visitors to an infected site that attempts to install malware and keyloggers (applications that can track your keystrokes) onto a PC, all intended for stealing personal data and passwords. The infected site will search the user's browser, Quicktime, and Adobe Reader for vulnerabilities that it can then exploit to load the malicious software.

Nine Ball is a particularly difficult foe for several reason: first, it resists investigation by checking a visitor's IP address against a list of previous visitors. Second, the trojans installed by Nine Ball on a PC are constantly mutating, making them very difficult to detect and destroy with traditional anti-virus software.

There is currently no sure-fire way to protect yourself from or clean up an infection by Nine Ball (except reinstalling Windows). All you can do is to make sure that all your software packages, including those targeted by the attack, are up-to-date, and to install the appropriate security software.

Source: Network World