The server connected to the site is based in Russia and has been used in similar attacks to install rootkits and other trojans, the alert said.
A number of compromised sites containing IFrames, which permit the embedding of HTML documents inside a main document, are contributing to the spread of exploits, according to researchers. In this case, the IFrames are pointing to a site hosting the ANI exploit.
Roger Thompson, CTO and chief researcher of Exploit Prevention Labs, said on Tuesday on his blog that the IFrame "lures" are leading to a site installing a Rustok rootkit.
"They have a strong and large system of lures, so this is a pretty good escalation of events," Thompson said. "Good thing the patch came out today."
In addition, Thompson reported "large numbers" of hacked sites, mostly based in China, are hosting similar payloads.
Meanwhile, more details emerged late on Tuesday about the lead-up to Microsoft’s patch release. Mike Reavey of the Microsoft ecurity Response Center said the company first received word of the vulnerability on December 20, but the fix had to go through a lengthy building and testing process before it was ready for release.
As users apply the patch, some problems are resulting, the SANS Internet Storm Center reported today.
At least one application, the Realtek HD Audio Control Panel, may not start after the fix is installed, according to an updated advisory from Microsoft.
Microsoft suggests applying the accompanying hotfix.