Websense Security Labs(TM) has received reports of new malicious websites designed to install Trojan Horse bots that allow attackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites.

The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called “iexplorer.exe” is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The “iexplorer.exe” file downloads and installs five additional files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

Websense Alert