Just for fun, Sunbelt researcher Adam Thomas (who discovered the VML exploit yesterday) has cataloged what is installed with one installation he observed. Epic quantities of junk:
BookedSpace Browser Plug-in
MediaMotor Trojan Downloader
TargetSaver Browser Plug-in
Webext Browser Plug-in
In other words, your machine is beyond pwned. (Note that this just happens to be what one bad boy has included as a payload. Anything could be put in there. Just one simple trojan. Or a whole boatload of crap. Also this is a listing from a spyware scan and probably has some overlapping items.)
As Roger Thompson of Exploit Prevention Labs said today to eWeek:
“This is a massive malware run,” says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.
In other news, word on the street is that Microsoft is targeting this flaw to be patched on October 10th, the next patch day — unless things get really bad out there. Hmm…
Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. “The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted,” a spokesman said. Other details, however, such as whether IE 7 users were at risk, were not forthcoming.
The security community is engaged on this exploit:
SANS handler diary entry.
More as I get it.