This makes use of a vulnerability in Apache combined with a vulnerability in MSIE:
Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE).
How It Works
Most of the following information is based upon a detailed write-up of the process which is available at vitalsecurity.org.
The process starts with a flaw in the OpenSSL module which is installed alongside most Apache web servers. Apache is the software that serves up web pages on most of the world's web sites. By exploiting this flaw, an attacker can install a rootkit on the web server. The rootkit allows the attacker to take over the server completely. It has been modified to avoid detection by most available rootkit detectors.
Once installed, the compromised web server will attach a _javascript to every HTTP packet sent to a browser used to surf the site. This _javascript causes the surfer's browser to open an IFrame, a small inline window which loads a page different from the one in the surfer's address bar.
The IFrame loads a page from one of three sites. One of the sites hosting these pages is owned by someone using an email address associated with CoolWebSearch (coolsearch.biz).
The pages which are loaded in the IFrame causes the browser to load several additional pages, each of which tries a different method of installing parasitic software. Once the browser encounters an exploit for which it is not patched, the browser will download and execute a variety of parasite installers. Any of the following parasitic software may be installed on the victim's computer:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
The installers for each of these have been modified to make them harder to detect with antivirus and antispyware software. At no time is the user presented with a EULA ( End User Licencing Agreement), privacy policy or any other disclosure or the ability to opt out of installing these parasites.
There is evidence to suggest that an infected PC could be used by an attacker to participate in a distributed denial of service attack.
Protect Yourself
There is no complete defense for MSIE users. There is no patch for the IFrame vulnerability. However, you can set Internet Explorer to disable IFrames.
Full story including details of how to block exploitation:
http://www.spywareinfo.net/nov24,2004#hacked