Spam, written in HTML to evade filters, arrives with the subject "Hot Pictures of Britiney Speers" and contains links leading to the malicious sites, according to a security alert from Websense.
The server connected to the site is based in Russia and has been used in similar attacks to install rootkits and other trojans, the alert said.
A number of compromised sites containing IFrames, which permit the embedding of HTML documents inside a main document, are contributing to the spread of exploits, according to researchers. In this case, the IFrames are pointing to a site hosting the ANI exploit.
Roger Thompson, CTO and chief researcher of Exploit Prevention Labs, said Tuesday on his blog that the IFrame "lures" are leading to a site installing a Rustok rootkit.
"They have a strong and large system of lures, so this is a pretty good escalation of events," Thompson said. "Good thing the patch came out today."
In addition, Thompson reported "large numbers" of hacked sites, mostly based in China, are hosting similar payloads.
Meanwhile, more details emerged late Tuesday about the lead-up to Microsoft’s patch release. Mike Reavey of the Microsoft security Response Center said the company first received word of the vulnerability on 20 December, but the fix had to go through a lengthy building and testing process before it was ready for release.
As users apply the patch, some problems are resulting, the SANS Internet Storm Center reported today.
At least one application, the Realtek HD Audio Control Panel, may not start after the fix is installed, according to an updated advisory from Microsoft.
Microsoft suggests applying the accompanying hotfix.
Britney Spears photos used as ANI exploit lure
By Dan Kaplan on Apr 5, 2007 10:00AM
Count a website touting racy photos of former pop diva Britney Spears as one of about 450 that are hosting the dangerous ANI exploit, patched on Tuesday by Microsoft in an emergency release.
Got a news tip for our journalists? Share it with us anonymously here.