Sunbelt researches have come across more than 50 new variants of the Windows Metafiles (WMF) using the new zero day exploit.

Most of these new variants are coming from Iframeurl [dot] biz but here is a list of other websites using this exploit you should block from your network ASAP.

m.cpa4 [dot] org
008k [dot] com
mscracks [dot] com
keygen [dot] us
dailyfreepics [dot] us
pornsites-reviews [dot] com
mmxo.megaman-network [dot]
com
600pics [dot] com
Crackz [dot] ws
unionseek [dot] com
www.tfcco
[dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
Buytoolbar [dot] biz
teens7 [dot] com

This exploit is very interesting in that it does not just affect Microsoft Internet Explorer but most browsers and normal applications that interact or display WMF graphics. Yesterday only a few of the websites we monitor used this exploit but now that number is exploding.

What does this mean?

The number of attach vectors are exponential. For example the latest craze of posting spam in blog talkbacks. How would you like to be reading your favorite blog, click the talkback link and get infected so badly your only option is to reinstall your operating system.

Another potential vector would be spam delivered to say all hotmail accounts or other web based email systems.

Let’s hope Microsoft gets a patch out quickly!!

Cheers,

Eric Sites
VP of Research & Development