Nine ball attack was 'overstated'

The Nine Ball attack could be less dangerous than at first thought

Security as a service firm ScanSafe has poured cold water on claims that the so-called 'nine ball' attack discovered earlier this week compromised over 40,000 legitimate websites.

In a blog posting on Monday, security vendor Websense claimed that it had detected a "large mass injection attack" in the mould of Beladen and Gumblar.

“We’d been monitoring Nine Ball 'sleeping' for couple of weeks before it woke up," said Websense threat manager Carl Leonard.

"In its dream state it benignly redirected users to a search engine, almost as a decoy. But a couple of days ago the alarm clock went off and now it sends the user on a series of redirects to malicious sites.

"The attacker records the visitor's IP address so, once the damage has been done, the user can be recognised. If they visit one of the 40,000 infected sites again, they're benignly redirected to a search engine once more."

However, writing on the ScanSafe blog in response, senior security researcher Mary Landesman said the attack was almost "non-existent". She argued that ScanSafe's data indicated that the total number of requests to sites involved in the attacks is 333, while the number of compromised sites is just 62.

ScanSafe also looked at the popularity of the compromised sites and found them to have very low ratings, according to web information company Alexa.

"Our view is also shaped by the fact that we see well over a thousand unique web attacks every month, some that are big like Gumblar and some that are very small like 'nine-ball'," she wrote.

"From our unique perspective, 333 requests involving 62 compromised web sites is certainly not something we would brand a 'massive injection'."