The exploits are often served from subdomains of 3322.org and 8866.org.Â A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).Â Some payloads seen download files named down.css and log.css, which are malware executables.Â Those executables contain functionality to download other malware, including:
- Artemis!629E2332CFDA – Generic PWS.y!bsk
- Artemis!78043EBA321B – PWS-Mmorpg!la
- Artemis!911BCF95C022 – PWS-OnlineGames.gx
- Generic Downloader.x!coe
- Generic Dropper!byp
- Generic PWS.y!bsk
- Suspect-02!50CB7D4BB04E – Generic Dropper.hi
- Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
- Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
- Suspect-26!B01B63F88994 – PWS-Mmorpg!la
Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).
Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.Â Still, this publicity may entice others to meet the challenge and go public to prove their prowess.
On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.Â McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.