Internet Security Systems - AlertCon(TM)

A Surge of Redirection to a known IE ActiveX Exploit

Posted by Robert Freeman on October 24, 2006 at 8:17 PM EDT.

I've observed a surge of sites in the past 24 hours that are redirecting to a single malicious host serving up an exploit for CVE-2006-3730/MS06-057, also known as the ActiveX WebViewFolderIcon setSlice vulnerability. This is a known vulnerability and has been resolved in the October 2006 Super Tuesday patches.

These sites are associated with salacious content and bogus search pages/engines. Since it is well known that posting malicious links is a bad idea, even if the "http://" prefix is mangled or excluded, I'll refrain from posting the exact URL. However, the offending IP is currently 85.255.117.214.

In most cases, when there is a many-to-one relationship of sites to a single malicious site, there is a link inserted to the pages which may in most cases be hacked accounts. In this particular instance, as I've mentioned, these sites simply redirect to the malicious URL and there is no other content provided. After a closer look, it appears the malicious sites are linked to a particular hosting provider at this time and not all of the hosted sites redirect to the malicious page. What is common among the sites that are redirecting is that they are likely owned by the same group of people. Hmm...

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.