The Winamp vulnerability in version 5.12 was announced at Secunia just a few days ago, details here. Note the Secunia advisory says “an exploit is publicly available”. Nullsoft released Wimamp 5.13 the same day the exploit was announced, but the spyware pushers saw an opportunity to infect more machines and make more money. SunbeltBLOG posted a Winamp exploit found in the wild today. A malicious Winamp playlist file (.pls) was discovered that causes Winamp to open and subsequently download an ugly CoolWebSearch infection called HomeSearch Assistant, also dubbed Trojan/Startpage.HSA, along with ransomware anti-spyware SpySheriff. The Sunbelt post states the exploit takes place from 008k.com, IP 195.225.177.27 at Netcathosting and recommends network admins and home users to block the site. Netcathosting is one of those ISP’s known to host spyware. Sunbelt also posted a screenshot of the hijacked browser showing domain lookfor.cc (link to dnsstuff.com).
