Travel sites and other web shops have been hit by the attack

Security experts said the sophisticated attack had succeeded on a larger scale than many other similar attacks.

Once installed on a Windows machine the malicious code steals passwords, browser data as well as login names for bank accounts and online games.

The attack is proving hard to defend against for both sites being hit and PC users who are caught out.

Big hitter

Security researchers at ScanSafe, Finjan and Secure Works separately discovered the nest of poisoned websites. Estimates of how many sites have been enrolled into the attack vary. ScanSafe said it knew of about 230 but Secure Works and Finjan believe the total could be as high as 10,000.

Yuval Ben-Itzhak, chief technology officer of Finjan, said it had been following the attack since early December when it noticed an increase in the number of attacks using poisoned websites.

"It's safe to say that there are thousands of these out there," he said. He added that it was hard to get an accurate picture of just how many had been hit because security firms had limited resources to scan all potential targets.

The attack exploits loopholes in many Windows programs

Sites enrolled by the ongoing attack include trade papers, travel firms, ad brokers, estate agents, butchers, hotel booking sites and car spare specialists.

Although all the websites that have become poisoned hosts use the same server and remote administration software, researchers have struggled to spot all the ways they are being compromised.

"We know some of the methods," said Mr Ben-Itzhak, "they are trying to exploit known vulnerabilities in open source content management software that the sites are using."

Spotting the attack code on a site was very difficult, he said, because every time a new user visited the code got a new, random five character name. If a visitor returned the malicious code identified them and did not launch a second attack.

Open Windows

Simon Heron, managing director of security firm Network Box, said: "It looks like the rootkit type technique that we have been worried about for the last two or three years. It's very clever."

A rootkit hides itself deep inside an operating system in an attempt to avoid detection.

Mr Heron said the code injected on the websites scanned the machine of any visiting Windows user to see if any one of 13 separate vulnerabilities were present.

It looked for vulnerabilities in browsers, instant messaging programs, document readers and media players, he said.

The code installs a small trojan through any one of these loopholes then lies dormant until a user types in data that it is interested in - such as login names for online banks or games such as World of Warcraft.

As yet the trojan installed on a PC is not recognised by many widely used anti-virus programs.

Philippe Courtot, founder and head of security firm Qualys, said small web shops and companies were increasingly becoming a target for criminally-minded hackers.

"Small businesses do not have the money to protect themselves," he said.

He added that hosting firms who owned and ran the servers on which these firms place their websites, viewed security as something extra they had to do rather than build it in.

"Hosting companies, for them today, adding security is a cost," he said.