More on zero day -- Epic loads of adware and a patch date from Microsoft

Just for fun, Sunbelt researcher Adam Thomas (who discovered the VML exploit yesterday) has cataloged what is installed with one installation he observed. Epic quantities of junk:

Virtumonde

Trojan-PSW.Win32.Sinowal.aq

BookedSpace Browser Plug-in

AvenueMedia.InternetOptimizer

Claria.GAIN.CommonElements

Mirar Toolbar

7FaSSt Toolbar

webHancer

Trojan.SvcHost

Trojan.Delf

Begin2Search Toolbar

MediaMotor Trojan Downloader

Trojan-Downloader.Winstall

TargetSaver Browser Plug-in

InternetOffers Adware

SurfSideKick

Trojan.Vxgame

SafeSurfing.RsyncMon

Trojan-Downloader.Small

Freeprod/Toolbar888

ConsumerAlertSystem.CASClient

SpySheriff

Trojan-Downloader.Qoologic

Zenotecnico

Command Service

WebNexus

Webext Browser Plug-in

DollarRevenue

Trojan-Downloader.Gen

Danmec.B-dll

Traff-Acc

EliteMediaGroup

NetMon

TagASaurus

Trojan-Downloader.Win32.Small.awa

FullContext.EQAdvice

Trojan-Clicker.Win32.VB.ij

Yazzle.Cowabanga Misc

Backdoor.Shellbot

Trojan.Danmec

TopInstalls.Banners

Trojan-Dropper.Delf.VA

Adware.Batty

Trojan-Downloader.Win32.Small.cyh

Toolbar.CommonElements

Trojan.Win32.PePatch.dw

Backdoor.Win32.Delf.aml

BookedSpace

In other words, your machine is beyond pwned. (Note that this just happens to be what one bad boy has included as a payload. Anything could be put in there. Just one simple trojan. Or a whole boatload of crap.)

As Roger Thompson of Exploit Prevention Labs said today to eWeek:

"This is a massive malware run," says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.

In other news, word on the street is that Microsoft is targeting this flaw to be patched on October 10th, the next patch day — unless things get really bad out there. Hmm…

Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. "The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted," a spokesman said. Other details, however, such as whether IE 7 users were at risk, were not forthcoming.

Link here. MS Security Advisory here.

The security community is engaged on this exploit:

CERT advisory.

ISS advisory.

SANS handler diary entry.

More as I get it.