Last week’s massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec’s rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices – or the lack of.

What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves – read more