A long list of porn sites currently are attacking recent quicktime and some other older browser side vulnerabilties. Unfortunately, it looks like some of our users are getting hit with this stuff in the wild — these exploits and malware are prevalent.

It looks as though the purpose is to download, install, and run a service that acts as a trojan clicker. Clickers like this one continue to fetch web pages from related porn sites and their banner ad links in the background, without the user noticing (although your network card and cpu might appear to be pretty busy!). This activity turns into revenue for the individuals hosting the sites that the clickers are fetching pages from. Here is what an infected system with the installed service looks like:

We’ll update the post with more info soon…patch your system and QuickTime, or just lay off the porn sites. Geesh.

UPDATE: The Quicktime rtsp streams appear to be down for the moment. But the CVE-2005-4560 wmf files targeting the Microsoft Gdi vulnerability of long ago continue to be delivered, as are the .ani files targeting Microsoft vulnerabilites as well.

UPDATE2: Threatfire continues to stop the component delivery. If your system isn’t patched for the .ani and .wmf exploits that the sites deliver, TF stops the BoF exploit. If the exploit delivered components somehow end up on your system, TF detects the components as a Trojan clicker. These Trojan.Clicker.Syspose components are delivered from a couple web sites hosted in the Ukraine.

This entry was posted on Tuesday, December 4th, 2007 at 4:56 pm and is filed under Exploit, Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.