The security firm reported a marked increase in the number of websites falling victim to the Darkleech attack on Wednesday, warning that many of them are hosted in the UK.
Zscaler's Krishnan Subramanian wrote: "The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.
"We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2. We identified the following sites being compromised in the past week within observed Zscaler traffic."
Subramanian said that the complex nature of the attack's exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.
"The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file," explained Subramanian.
"Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task."
The attack was already believed to have infected thousands of websites when it was first uncovered earlier this year. Subramanian said businesses or website owners that are worried their site has been infected should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.