2117966(dot)net – Mass iframe injectionMarch 14, 2008 – 9:05 AM
Last Updated: 2008-03-14 15:33:49 UTC
by Kevin Liston (Version: 1)
Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966(dot)net. The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities.
Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
Recommended immediate action:
Block 2117966(dot)net at your web proxy
Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966(dot)net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 126.96.36.199
(http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.
A properly-patched system should not be at-risk from this attack. It is recommened to use a browser that does not support ActiveX.
Until details become available on how the iframe was injected, we have no recommendations.
We currently do not have details on how the iframes were placed on the websites. If you are responsible for cleaning-up or investigating one of the defacements, please contact us if you have information on how the compromise occurred.