A piece of malware that masquerades as antivirus software has been found on 200,000 web pages or almost 30,000 unique sites, says computer security group Websense. The exploit, which mostly affects sites built with WordPress, places a short piece of injected code at the bottom of a page:
When a user loads the page, they're redirected to a page in the .rr.nu top-level domain that mimics a Windows security scan, then asks them to download a malicious program to supposedly clear viruses from their computer. It's a scam that's been running in various forms for years, and Websense says it's been tracking this particular threat for several months.
Although the source of the malware is unknown, over 85 percent of the affected sites are from the United States, and Sucuri Security has traced many of the cases to old WordPress installs, weak passwords, or vulnerable and malicious plugins. The exploit isn't as widespread as something like DNSChanger, and so far the reports we've seen have been for smaller sites. However, for anyone who runs WordPress software, it's something to watch out for.