New attack underway

Hi folks,

There is a significant attack run underway over the weekend. It involves a spam run telling people they have a Greeting Card, not that this is a new tactic, but it involves a seemingly large number of .hk domains. If you click the link to view the card, it throws an ANI exploit, which is new-ish (patched in April 2007), and ms06-042, which is old-ish (patched in October 2006), and an ms05-052!!! I have no idea when that was patched except that it was 2005 sometime, and if someone has not patched since then... well... they have a name for people like that... serially pwned.

If it manages to nail you, it installs a downloader for which av detection is low, and it, in turn, downloads a rootkit for which av detection is _very_ low.

What this all means is that the weird thing is the use of a two year old exploit, that we have not seen in use anywhere else until now. Go figure.

If you're patched, or are running LinkScanner, all is well.

Cheers

Roger