A new attack emanating from the malware domain v3p2.com may be linked to a possible (alleged) root compromise of greatandhra.com, a news and media site with a worldwide Alexa rating of 2339.

The v3p2.com attack drops a cookie to track victims, checks for the presence of Rising AV or 360Safe antivirus, then exploits the "use after free" vulnerability in Microsoft Internet Explorer versions 6 (including SP1) and 7 (CVE-2010-0806 / MS10-018).

Successful exploit leads to the silent installation of a data theft trojan delivered from n9uo.com. Both attack domains - v3p2.com and n9uo.com - were registered on May 7th. Referrers to the v3p2.com domain indicated the attack was originating from the popular greatandhra.com website.

Coincidentally (or not), greatandhra.com was mentioned on Hack Forums (tagline Packets, Punks, and Posts) on May 2nd for having a vulnerable/accessible mysql.user root entry. A subsequent post to the thread (also on May 2nd) by someone using the moniker jfmherokiller claimed shell access had been gained.

First encounters resulting from these attack began on May 10th, eight days after the initial allegations that root access to greatandhra.com had been gained and three days after the v3p2.com and n9uo.com malware domains were registered.