The malware [isc.sans.org][pdf description], which has been identified by the SANS Institute [read top 20 exploit list [sans.org] or visit the SANS Internet Storm Center [incidents.org]], is delivered to users' PCs through pop-up windows that appear when users log on to financial portals.

It seems that the suspect pop-ups are delivered on certain websites that run ads from third-party ad servers, which appear to have been hacked. When the pop-ups appear, vulnerable versions of Internet Explorer begin downloading a malicious file that records activity - such as passwords - onto the infected PC and sends that data to a server reportedly located in Estonia. theregister.com [theregister.com]

Remind me again why I should be using IE? Hmmmmm. Ok, anyway, seems to be a slow day so thought this might brighten some faces. Once Firefox hits 1.0 I'm going to start forcing all my clients to use it, I'll just tell them that they are risking losing everything they own to russian gangsters, that should do it.

On a similar note, re CoolWebSearch trojan:

The trojan installs dozens of bookmarks to foul porn sites on your desktop; it also adds a toolbar to Internet Explorer and changes your home page without asking. theregister [theregister.com]

Says the guy who writes the antidote program:

Bellekom has just released the latest version of his CWShredder (1.59), the only antidote to the trojan, but warns that his app won't be updated again: "I have a few bugs to fix, but after that there's not much left to do. I simply do not have the tools to remove the latest variants. They are too aggressive or too complicated to allow for automated removal."

These guys are getting better at this stuff all the time, trojans + mafia etc, that gives some incentive that maybe wasn't there so much before, expect higher quality exploits by the year.

[edited by: isitreal at 11:07 pm (utc) on July 1, 2004]