Throughout December, Websense Security Labs reported a number of cases where browser and Operating System vulnerabilities were being used to install Potentially Unwanted Software onto end-users' machines without user-intervention. In several cases, dozens of pieces of code were installed, and often report false information in order to entice the end-user to clean their machine from spyware.
We are now seeing some of those same entities using their exploit code to install more reprehensible crimeware, such as key loggers and phishing traffic redirectors. This code is designed to steal information in addition to the installation of potentially unwanted software.
Users are typically infected through an IFRAME, loaded silently from a compromised website or an advertisement network pop-up. The exploit code loaded through these IFRAME tags attempts to use several dozen vulnerabilities, including the two recent zero-day vulnerabilities: MS05-054 and MS06-001. Users who are patched against these vulnerabilities are displayed an ActiveX prompt to install the exploit code.
The IFRAME SRC loads a URL similar to these (NOTE: The URLs have been removed):
http:// too1barXXX.biz/dl/fillmemadv470.htm
http:// too1barXXX.biz/dl/sploitadv470.anr
http:// too1barXXX.biz/dl/xpladv470.wmf
These exploits function as downloaders, and performing HTTP GET requests to other websites to install their payload. Initially, the primary goal of these downloaders was to install unwanted software, such as counterfeit anti-spyware removal tools, toolbars, adware and other potentially unwanted software.
Recently, we have seen the downloaded files performing additional functions, including:
For further information follow the link below.
Related links: (Open in a new window.)
www.websensesecuritylabs.com/alerts/alert.php?AlertID=395
Taken from Information Security Bulletin.