The Nine-Ball attack is deployed when a user visits a legitimate website that has been infected with the malicious code. From the legitimate website, unsuspecting users are redirected behind the scenes through a series of different sites owned by the Nine-Ball’s hackers.

The diagram below depicts a typical url progression that happens behind the scenes during a Nine-Ball deployment.

Nine-Ball Progresstion

When an infected site is visited for the first time, the user is directed to the ninetoraq.in exploit payload site where the visitor’s IP address is recorded and the trojan download is installed.

If a user on the same IP visits the legitimate website again, he or she is directed to the benign site of ask.com. Security experts speculate that the Nine-Ball hackers are using a benign destination url to throw cyber security investigators and cyber crime analysts off track.

The scary part is that most antivirus applications will not detect Nine-Ball’s malicious code. Websense experts report, that “the exploit is detected by only three of the 41 most commonly used AV programs.”