Websense.com / Security Labs / Blogs / Web Attacker with VML being setup.

Blog

09.24.2006 - 8:15 PM

SEARCH BLOG

Subscribe to this feed »

September 2006

09/29/2006	Malicious Website / Malicious Code of the Week »
09/24/2006	Web Attacker with VML being setup. »
09/24/2006	Keep an eye on NEWS stories. »
09/22/2006	MOTW: VML Payload Analysis »
09/22/2006	VML Candid Camera »
09/20/2006	Proof-of-Concept (POC) for I.E. zero-day posted. »
09/19/2006	New Internet Explorer Zero-Day being utilized. »
09/16/2006	MOTW: Downloader Analysis »
09/08/2006	MOTW: zCodec Delivers »
09/01/2006	MOTW: VMProtect Analysis »

Archive
+ August 2006
+ July 2006
+ June 2006
+ May 2006
+ April 2006

We are starting to see some sites attempting to upgrade to the latest version of Web Attacker. As previously noted, there is a new version of the widely used and distributed Web Attacker toolkit that includes exploit code for the latest I.E. "zero-day" attack (VML). See: http://www.websense.com/securitylabs/blog/blog.php?BlogID=80.

As you can see in the below screenshot, the statistics page that is included in the toolkit has now also been updated. The VML exploit code is being counted as "MS06-XMLNS". As you may also notice the example site shows the number of hosts that have connected and have been infected as zero. We believe that this is either a bug or a configuration error.

We have connected to other sites that also appear to be in the middle of setting up their sites.

The particular site below is one that we have had in our database for sometime and has had high levels of connections in the past.

Special thanks to Roger Thompson at http://www.explabs.com for research collaboration.

Bookmark This Post:

Post a Comment:

Security Labs

STAY ALERT!

Blog

SEARCH BLOG