False Positives and Real
Danger"> "A lot of sites were mistakenly flagged as attack sites," Nazario said. "We were able to whittle it down to about three dozen URLs actually hosting the malicious code." Those URLs mapped to about 18 unique IP addresses, said Nazario, who tracks malicious activity on the widely read Worm Blog."Compared to where we were with the WMF attacks late last year, we can confirm that this one is very limited in scope," he said. In addition to working on a patch, Microsofts Toulouse said generic protections and malware removal signatures have been added to the Windows Live Safety Center to help users clean up from infections. Microsoft is mulling a plan to release an emergency update to correct the flaw, but Toulouse stressed that the companys priority is to ensure that the patch passes rigorous quality assurance testing. The company has already released an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003. In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting, or disable Active Scripting in the Internet and Local intranet security zone. In addition, IE users can set Internet and Local intranet security zone settings to "High" to prompt before Active Scripting in these zones. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Nazarios research team also found that the bulk of the shellcode used in the exploits was identical, confirming suspicions that a small group is responsible for the attack.