More than 40,000 websites have been hit by an internet attack dubbed Nine Ball that injects malware into pages and redirects victims to a site that will then try to download Trojans and keylogger code, according to Websense.

The security firm has been tracking Nine Ball for a week and a half, and said compromised websites, loaded with malware, will first try to identify a web visitor by IP address to discover if it’s a repeat visitor. To evade security researchers and investigators who would likely be among any repeat visitors, the web page will dump a repeat visitor onto the search engine site

“ is nothing malicious, you’re just sent there if they’ve seen you before,” says Stephan Chenette, manager of security research at Websense. This type of inspection and re-direction is becoming commonplace in web attacks as a way to evade investigation, he points out.

If a web visitor is new, the victim is pushed through a few more re-directions to land at the site, which may sound like a site in India, but is in Ukraine, Websense believes. The URL inspired Websense to name the attack method Nine Ball.

The final stop for a web victim includes a drive-by download attempt after the malware checks for vulnerabilities in the browser, Adobe or Quicktime software on the user’s desktop. If it succeeds, the attack will download a Trojan with a keylogger component that many anti-virus software packages do not yet identify, according to Websense.

“These Trojans have a very low detection rate,” Chenette says. “Many are polymorphic or created on the fly.”

There are a number of security failures that can help Nine Ball to compromise so many websites, including SQL-injection attacks on susceptible websites as well as bots that have stolen user passwords and logins for administrators of websites.

The Nine Ball exploit is distinct from two other mass-compromise methods observed of late - Beladen and Gumblar - but it’s possible the same instigators are behind them, Chenette says.