Anti-virus software company Symantec has uncovered a new global web server infection. Hidden scripts on servers are redirecting website visitors to potentially malicious websites. So far over 3,500 hidden scripts on servers have been identified, which are being triggered when website visitors land on the compromised site. That visitor is then directed to a potentially malicious website.

This is a mass injection on a truly global scale. Hidden scripts on servers in over 75 countries have been discovered, although almost half of the compromised websites are located in the United States. 47% of infections were discovered in the U.S., 12% were discovered on servers in India, with the UK, Italy, and Japan accounting for 6% each. France, Canada, and the Russian Federation each had 5% of infections, with 4% discovered in Australia and Brazil.

The majority of compromised websites were used by businesses, and .edu, .gov, and other government websites had also been compromised.

Hidden scripts on servers pose a significant threat to website visitors

At the present moment in time the scrips have not been found to direct users to websites where drive-by malware downloads occur, nor have visitors been redirected to websites infected with malware. However, there is considerable potential for criminals to alter the scripts to deliver visitors to websites capable of delivering malware. A network of servers could be being built for a future global attack.

The malicious code injection can be found before the </head> tag. The injected JavaScript code set to run 10 seconds after the user’s browser has loaded the page. The script is used to launch multiple other scripts to mask the action from the visitor.

The scripts are understood to currently be used to collect data on users, which Symantec lists as including host IP address, Flash version, referrer, search term queries, page title, monitor resolution, user language, and URL page address. The hidden scripts could potentially be used for a wide range of malicious purposes.

All of the infections so far detected have affected a specific website content management system, although that CMS has not been disclosed. All website administrators are advised to check their websites and search for any injected code.

Should any code be located, it is not just a case of changing the administrator password and removing the script from the site. Backdoors may also have been installed and full webserver sanitization is likely to be required to totally remove the infection.