The malware injection on Chinese websites continues. As of this morning, a Google search on the injected script returned over 3 million results. Browsing through the first dozen pages, it appears the majority of hits are for actual compromised sites, as opposed to people just chatting about the problem.

The attacks have also morphed. The original attacks observed for the injected 3b3.org script pointed to exploit code on vip762.3322.org which attempted to install malware from xin765.com. The exploit site then shifted to vpsvip.com, with malcode hosted on rtrt66.3322.org and milllk.com.

Currently, the injected 3b3.org script points to exploit code on 80yt4.8866.org. One of the exploits includes an MPEG2 zero day, this one CVE2008-0015. The vulnerability resides in a Microsoft Video ActiveX control (described in Microsoft Advisory 972890). The vulnerability impacts XP/2003 users of Internet Explorer. Successful exploit results in the installation of malware from milllk.com.