Just for fun, Sunbelt researcher Adam Thomas (who discovered the VML exploit yesterday) has cataloged what is installed with one installation he observed. Epic quantities of junk:
Virtumonde
Trojan-PSW.Win32.Sinowal.aq
BookedSpace Browser Plug-in
AvenueMedia.InternetOptimizer
Claria.GAIN.CommonElements
Mirar Toolbar
7FaSSt Toolbar
webHancer
Trojan.SvcHost
Trojan.Delf
Begin2Search Toolbar
MediaMotor Trojan Downloader
Trojan-Downloader.Winstall
TargetSaver Browser Plug-in
InternetOffers Adware
SurfSideKick
Trojan.Vxgame
SafeSurfing.RsyncMon
Trojan-Downloader.Small
Freeprod/Toolbar888
ConsumerAlertSystem.CASClient
SpySheriff
Trojan-Downloader.Qoologic
Zenotecnico
Command Service
WebNexus
Webext Browser Plug-in
Trojan-Downloader.Gen
Danmec.B-dll
Traff-Acc
EliteMediaGroup
NetMon
TagASaurus
Trojan-Downloader.Win32.Small.awa
FullContext.EQAdvice
Trojan-Clicker.Win32.VB.ij
Yazzle.Cowabanga Misc
Backdoor.Shellbot
Trojan.Danmec
TopInstalls.Banners
Trojan-Dropper.Delf.VA
Adware.Batty
Trojan-Downloader.Win32.Small.cyh
Toolbar.CommonElements
Trojan.Win32.PePatch.dw
Backdoor.Win32.Delf.aml
BookedSpace
In other words, your machine is beyond pwned. (Note that this just happens to be what one bad boy has included as a payload. Anything could be put in there. Just one simple trojan. Or a whole boatload of crap. Also this is a listing from a spyware scan and probably has some overlapping items.)
As Roger Thompson of Exploit Prevention Labs said today to eWeek:
“This is a massive malware run,” says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.
In other news, word on the street is that Microsoft is targeting this flaw to be patched on October 10th, the next patch day — unless things get really bad out there. Hmm…
Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. “The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted,” a spokesman said. Other details, however, such as whether IE 7 users were at risk, were not forthcoming.
Link here. MS Security Advisory here.
The security community is engaged on this exploit:
CERT advisory.
ISS advisory.
SANS handler diary entry.
More as I get it.
Alex Eckelberry