A user visited a webpage and got redirected to hxxp://iframebiz.biz/dl/adv443.php (tt changed to xx to protect anyone from getting there…)
Among other things… the page was obfuscated and many malicious bits of software loaded through javascript…. such as hxxp://iframebiz.biz/dl/adv443/sploit.anr and hxxp://iframebiz.biz/dl/loadadv443.exe and hxxp://iframebiz.biz/dl/adv443.hta and some sort of loaderadv443.jar and… http://iframebiz.biz/dl/adv443/x.chm
It looks like a bunch of malicious software trying to exploit a variety of vulnerabilities (old and new). Apparently this isn’t a new way of getting these installed (they found 9 DNS names have been used in the last week) – traffsale.biz iframesite.biz iframetraff.biz toolbartraff.biz buytraff.biz iframecash.biz toolbarurl.biz iframebiz.biz and toolbarbiz.biz all have been used by an machine at 81.9.5.10
They’ve tried contacting the ISP and for fun infected a VMware virtual machine. More than 50 files were pulled down from all over.
Not that Firefox is invincible, but … most exploits in the wild affect unpatched Internet Explorer vulnerabilities which is why I usually recommend Firefox…
How are they being injected into website files?
It`s simple, owner website insert code with exploit to a page.
For example:
< iframe src=/path/to/expoloit width=0 height=0 >< /iframe >