Websense Security Labs(TM) has
received reports of new malicious websites designed to install Trojan
Horse bots that allow attackers to compromise end-user banking
credentials for more than 50 financial institutions and ecommerce
websites.

The websites are hosted in Germany,
England, and Estonia, and appear to be using round robin DNS, resolving
to five unique IP address that revolve on each lookup. Each site hosts
the same exploit code. This code attempts to exploit the Microsoft
AdoDB / XML HTTP (MS06-014) vulnerability to download and install a
Trojan downloader without end-user interaction.

When end-users visit the site, they
are directed to one of the five servers. If the end-user machine
is vulnerable, a file called “iexplorer.exe” is downloaded and run. The
site displays a simple page that says the sever is temporarily busy and
suggests that the user shut down any firewall and antivirus software.
The “iexplorer.exe” file downloads and installs five additional files
from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

Websense Alert