Comment: The silent danger of a clever Trojan

A popular travel website based in Croydon is one of hundreds of sites to have been attacked by a mysterious virus that is sweeping across the internet.

Directline-holidays, which offers cheap package holidays, is one of at least 200 sites - many UK-based - to be affected by a sinister computer virus, the likes of which security firms have never seen.

The virus, which was first detected late last year, attacks the computers of people who visit affected sites by installing a piece of software known as a Trojan, which is capable of stealing information and feeding it back to the attacker.

Unlike other viruses of its sort, the new program does not leave 'footprints' on affected sites, meaning that tracking its path across the internet is much more difficult.

"This attack is unlike anything we've seen," Mary Landesman, a researcher at the security firm ScanSafe, which has been helping one of the UK companies affected, said. "We've worked with one company that's been affected to completely rebuild their server from the ground up, and an hour later the problem came back."

ScanSafe said it estimated the number of websites affected to be 200, but two other companies - Finjan and Secure Works - believe the number could be as high as 10,000.

The sites affected were mostly "mom and pop" sites based in the UK running businesses in areas like travel, property and motoring, Ms Landesman said. They still attracted large numbers of visitors, however, because they performed well in search results.

One site listed by ScanSafe as having been compromised rents cottages in Yorskshire. Another provides replacement parts for Vauxhall cars.

A spokesman for Directline-holidays, which attracts 80,000 customers a day and is the top listed site in a Google search for 'cheap holidays', confirmed that one of the site's technical staff had noticed its servers had been behaving abnormally a week ago.

On analysis, the company discovered that the server had been targeted by a version of a virus "that most security software didn't recognise."

The server has now been removed and the remainder are unaffected, the spokesman said, adding that the site was hosted on one of the largest hosting services in the US.

"This is going to be an extraordinarily long-lived attack, because the evasion technique makes it so hard to take down," Don Jackson, a senior security researcher at SecureWorks said. "The underground hacker community is extolling its virtues and praising whoever came up with it."

It is unclear where those behind it were based, experts said, though the virus did not match any typical "attack patterns" of well-known Russian or Chinese groups.

Computer users were at risk, researchers warned, because many anti-virus programs were not capable of detecting 'dynamic' viruses such as this, which constantly changed their form.

Typically when a website is compromised, hackers install additional files on the site's server, directing a visitor's computer to do particular things when it lands on the site. Once these files are located, researchers can search for similar instances of them across web, enabling all affected site owners to be notified.

In this case, the site is hacked in such a way that only when a person visits the page are the malicious files installed on the site, meaning that they are otherwise undetectable to the company hosting it.

"We call it an 'on-the-fly' Trojan," Mikko Hypponen, chief research officer at the web security company F-Secure, said. "It's definitely a much more complex operation than we're accustomed to."

It is understood that only Windows users are affected by the virus.

Mr Hypponen urged computer owners to regularly update their virus protection, and always to download the latest version of browsers and other applications, such as media players, when prompted.

Explore Tech & Web

• Personal Tech

• The Web

• Gadgets & Gaming