New Alerts About MS06-014 Attack Sites & Phishing Botnet

A couple sites (I don't know who was first) posted stories today today about some websites which have been found to be hosting a fairly old exploit for Microsoft Data Access Components (as you can infer by the number MS06-014). One point of contention is that the Symantec one says it's linked to the recent Australian PM heart-attack spams which included exploit links, whereas the Websense one says it's not related.

Of course, we know that once a website exploit succeeds it's game over and the attacker is limited only by creativity, but I always like to see writeups of what the current bots are doing (especially with pictures!). In this case the attackers download 5 DLLs to the machines (browser helper objects I assume). These then force man-in-the-middle attacks on over 50 sites to steal the credentials (i.e. the usual suspects: Paypal, Wells Fargo, Bank of America, etc). Also the botnet is controlled via a web interface rather than the more traditional IRC servers. While the mind always boggles at how stupid some botmasters are (the blind attacking the blinder as it were), in this case it's highly ironic that botmasters can find someone to build them a nice looking and powerful web command & control center, and don't ask them to build in password protection to stop the security researchers from having a look around…