Recently, we observed some suspicious activity on the Chinese Yahoo astrology site, http://astrology.cn.yahoo.com. Upon investigation, we determined that the site in question contained an iframe that was linking to the domain luckty.com, an astrology-based match finding company. This page contained an embedded iframe that linked to a malicious site that was exploiting the Real Player ierpplug.dll ActiveX Control Buffer Overflow Vulnerability and the MSIE ADODB.Stream Object File Installation Weakness to download malicious code onto a compromised machine.

We contacted our friends at Yahoo, who subsequently removed all iframe references pointing to luckty.com. Symantec antivirus products utilizing the Canary engine, which detects browser-based exploits, automatically blocked access to the site hosting the exploits, thereby preventing infection. The downloaded malicious code samples are detected as Downloader with definitions version 03/22/2008 revision 2 and later.