Select Page

Sunbelt researcher Patrick Jordan has been researching a nasty group of sites, including toolbarbarcool(dot)biz.

These guys will do anything to get on your machine.

First, it tries to infect you through a (long patched) compiled help file (CHM) exploit.

If unsuccessful at that, it goes ahead and does a 2 for 1 special — it attempts to infect through both the WMF exploit and the Javascript exploit.  Both of these exploits are fairly recent:  The Javascript exploit was patched on December 12th, 2005 and the WMF exploit was patched on January 5th, 2006.

Video here.

Toolbarcool23498a123243

Here are the URLs:

Iframecash(dot)biz
Toolbarbest(dot)biz
Toolbarbucks(dot)biz
Toolbarcool(dot)biz
Toolbardollars(dot)biz
Toolbarmoney(dot)biz
Toolbarnew(dot)biz
Toolbarsale(dot)biz
Toolbarweb(dot)biz
newtoolbar(dot)biz

Alex Eckelberry