Email Lures to VML Exploits

Date:09.25.2006

Threat Type: Zero-Day Update

We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code. A recent example that came to us from Message Labs appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.

Screenshot of greeting card link:

Screenshot of iframe source:

Interestingly enough the site was also part of a mass-defacement earlier in the week so it is definately compromised.

Screenshot of Zone-H's mirror of the compromised server:

Special thanks to Roger Thompson at http://www.explabs.com for research collaboration.