A large clump of sites in the Asia Pacific region are sporting embedded IFrames pointing to a site that's spreading ANI exploit code, Websense reported yesterday. An IFrame is an HTML element that makes it possible to embed an HTML document inside a main document.
The security firm's ThreatSeeker technology is tracking more than 450 unique compromised sites, most with all pages infected. The total of infected pages with exploit code links is tens of thousands. Websense is working with groups to get them taken down. Besides those sites, the 50-plus sites in this particular cluster all connect to the same host.
Websense's alert said the sites appear to be running blogs or message boards. Most of the sites contain embedded IFrames on all pages that lead to the set of sites hosting the ANI exploit, the alert said. The total number of pages is more than 500.
Were a user to connect to one of these feeder sites, that user would be redirected to two hosts of the exploit code. The hosts download and install a file called "ad.exe" which contains a password stealer that Websense says is not being detected by most antivirus companies.
Websense has screenshots of the sites here.
Microsoft has promised a patch for the animated cursor flaw today, jumping its normal Patch Tuesday cycle by a week in order to address the rising tide of exploit and customer concern. Meanwhile, eEye has updated its workaround in order to address the exploit's newfound ability to bypass its temporary patch.