According to the Internet Storm Center, which posted an alert on its Web site, it had received reports that the attack was redirecting traffic from popular domains such as google.com, ebay.com, and weather.com.

DNS cache poisoning occurs when an attacker hacks into a domain name server, then "poisons" the cache by planting counterfeit data in the cache of the name server. When a user requests, say, ebay.com, and the IP address is resolved by the hacked domain server, the bogus data is fed back to the browser.

Another tactic, dubbed "DNS hijacking," is similar, but simply changes the domain server so that traffic is actually re-routed.

It's unclear which of the two tactics this attack is using.

Even security firms had difficulty confirming the attack, however. Dan Hubbard, the senior director of security at San Diego-based Websense, for instance, said that his team had been investigating the report for several hours but had not yet been able to hit a domain server that had been poisoned.

But Websense's monitoring of its customer's usage patterns did pick up a spike in traffic to the three malicious sites supposedly feeding spyware to redirected users. (In turn, the three feed users to one single site.)

"It's circumstantial evidence," he said, "but it seems something is going on."

Nor was Hubbard able to confirm the targets of the poison and/or hijack. "We haven't been able to trace a redirect from, say, Google," he added.

The hack could be quite localized if, for instance, the affected domain server was one operated by an enterprise or small Internet service provider. "It's certainly not at the root level, or we'd all end up at this malicious site."

Domain cache poisoning and domain hijacking, while rare, are not unheard of. In the late 1990s, a vulnerability in BIND (Berkeley Internet Name Domain), the software used by nearly all of the name servers on the Internet, was disclosed. A few exploits followed. And in 2000, RSA Security was victimized by a Web defacement that really wasn't: instead, domain cache poisoning simply fed bogus pages to users.

"One interesting thing about malicious Web sites is that the hackers have to get people to the site," said Hubbard. "How they get people to their sites is becoming very important. In this case, they're getting more creative than the traditional phishing or instant messaging approach where links are sent to users."

The adware and spyware on the malicious sites is thankfully "not very dangerous," said Hubbard. The sites try to download and install code and an Active X control called "ABC Search Webinstall" that changes the browser's toolbar, its home page, and search preferences, among other things.

For additional details of the attack as they become available, refer to the Internet Storm Center's Diary page, which promises to update as the Center finds out more.