A mass injection attack dubbed Lizamoon is spreading rapidly and has infected up to more than 1.5 million URLs.
The attack was first announced by Websense on Tuesday, when the content-filtering firm said 28,0000 web pages had been infected.
"The Lizamoon mass injection is one of the largest mass injection campaigns we have ever seen," said Carl Leonard of Websense Security Labs.
The number of the compromised URLs is still increasing, and more domains or payload sites have started to be involved, in addition to the original lizamoon.com, he said. These include world-of-books.com, alexblane.com, and alias-carter.com.
The attack uses SQL injection techniques to insert rogue code into the databases of PHP and ASP websites.
Websense says it is not aware of a vulnerability in Microsoft SQL Server 2003 and 2005. The most likely vulnerabilities, researchers say, are in the web systems used by these sites, such as outdated CMS and blog systems.
The payload sites remain inactive at present, says Leonard, although they could be 'switched' on at any time.
"We can only speculate as to what the bad guys are waiting for," he said.
According to Websense, all the injected code does is a redirect to a rogue antivirus site, but researchers has seen the scripts change over time to redirect to several different rogue antivirus sites.
The fake sites display fake antivirus alerts to persuade people to download a rogue application called Windows Stability Center.
If downloaded, the malware displays security alerts and advises users to buy a licence to fix the problems. The aim is to steal the payment and the buyers' credit card details.
Video: LizaMoon mass injection explained