Thousands of websites have redirected users to sites foisting the Blackhole exploit kit after attackers compromised DNS servers across three Dutch web hosts.
Attackers Monday modified the domain registration systems from the Netherlands based Foundation with external name servers, Foxit researcher Yonathan Klijnsma (@ydklijnsma) said.
All websites using domain name servers from Digitalus, VDX and Webstekker were compromised in the Blackhole attack.
"Every web site that was being requested responded with a blank 'under construction' page with an iframe ... running the Blackhole exploit kit," Klijnsma said.
The attack leveraged Adobe Reader and Java vectors in different instances and communicates with command and control servers over the Tor network.
The websites have been restored along with DNS caches which continue to serve the malicious content 24 hours after the attack was first rectified. Digitalus, VDX and Webstekker apologised in statements about the incidents.