An update on the rapidly changing exploit (under) World.
The WebAttacker site is now down.
Secondly, thanks to AusCERT, the Computer Emergency Response Team for Australia, we now know that the new version of WebAttacker was being heavily advertised in spam, at least in that country, through hacked but otherwise innocent sites.
Each hacked site contains the usual single-line iframe that reaches out to the exploiter. In other words, anyone visiting the hacked site is automatically and invisibly re-directed to the exploiter.
We're not seeing any obvious connection between the hacked sites at this point - they include song lyrics, beauty supplies, a bridal shop, and travel - but we'll continue to look at them to try and find a common thread. The fact is that this exploiter went to a lot of trouble to hack at _least_ 33 lure sites, and then used a brand new version of WebAttacker on them.
We know that the exploitive site first came online in the middle of April, so we might surmise that the exploiter has been preparing the attack since then. In which case, he must be pretty disappointed that he was discovered and shut down within a few hours ...