Sunbelt Software Inc. posted details of the hack once they found rogue code embedded in the site's HTML. The code, an IFRAME exploit, covertly redirected users to a hacker server with 22 pieces of malware installed then onto vulnerable PCs. By Sunbelt's tally, the malware included one worm, three rootkits, five Trojan downloaders, and several password stealers.
Roger Thompson, CTO of Exploit Prevention Labs Inc., posted a video of the hack (.wmv file download) that showed the massive infections and resulting system changes in a debugger window.
Alex Eckelberry, Sunbelt's CEO, thought this was the work of the Russian Business Network (RBN) gang. The RBN is characterized as "the baddest of the bad" by VeriSign iDefense.
The malware was installed through an exploit framework -- Webattacker, Mpack, Icepack -- as it was encrypted in the same way as Webattacker," Eckelberry stated.