There are still conflicting reports about the extent of the problem, and exactly which sites may have been spreading malware to their users. LURHQ says it has seen “a relatively small number of sites reporting the infections of IIS servers,” while SANS reports that the compromised affected “a large number of web sites, some of them quite popular.”
Any e-commerce sites that installed keylogging software on their users’ machines would appear to have a major headache, having served as the unwitting agent for exposing customers to the potential theft of personal information. There are potentially serious ramifications for Microsoft as well, since the exploit used to spread the trojan appears to have infected end users with fully-patched web browsers. Several accounts suggest some compromised IIS servers were also fully patched. While Microsoft is noting the availability of hotfixes and workarounds, the flawed MS04-011 patch for Win2K figures to be a point of contention as the security community conducts a damage assessment and post-mortem.