A recent development of the malicious JavaScript injection that compromised thousands of domains at the start of this month is being tracked by Websense Security Labs. The attackers have switched over to a new domain as their hub for hosting the malicious payload in this recent attack. In the last few hours the number of compromised sites has increased by a factor of ten.

When a user browses to a compromised site, the injected JavaScript loads a file named 1.js. The JavaScript code then redirects the user to 1.htm. Once loaded, the file attempts 8 different exploits. The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at this time.

The number of sites affected is in the hundreds of thousands and include UK government sites and a United Nations Web site. Casualties of the previous attack included various U.S. news Web sites, a major Israeli shopping portal, and numerous travel sites.