FYI...
Multiple JS site injections/compromises...
- http://securitylabs.websense.com/con...logs/3461.aspx
08.14.2009 - "Recently, since Microsoft released information about new vulnerabilities in MS Office and DirectShow in July, attacks spreading through the infection of thousands of legitimate Web sites have increased sharply in the wild... The script redirects to four malicious pages which capitalize on different vulnerabilities. Their targeting vulnerabilities are:
Firefox Corrupt JIT state after deep return from native functionHeap (MFSA 2009-41);
Microsoft DirectShow(msvidctl.dll) vulnerability (MS09-032);
Microsoft Office Web Components Spreadsheet ActiveX vulnerability (MS09-043);
Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927).
The third feature of the injection campaign is the constantly evolving injection codes. It seems that the attackers use a randomizer to generate this kind of JavaScript, but ultimately they all point to similar exploits... obfuscated JavaScript is the most important means of injection, taking up over 50 percent of the total. In summary, all of these injection methods are easy to implement for attackers and difficult to detect for users, meaning that more and more innocent users are involved in this injection campaign. This campaign not only targets mass college Web sites, but is also spreading widely in other sites in China. At the moment, the number of compromised college sites is still very high, maintaining a level of around 800 sites..."