Wimamp exploit used to push spyware

That didn't take long. The Winamp vulnerability in version 5.12 was announced at Secunia just a few days ago, details here. Note the Secunia advisory says "an exploit is publicly available". Nullsoft released Wimamp 5.13 the same day the exploit was announced, but the spyware pushers saw an opportunity to infect more machines and make more money. SunbeltBLOG posted a Winamp exploit found in the wild today. A malicious Winamp playlist file (.pls) was discovered that causes Winamp to open and subsequently download an ugly CoolWebSearch infection called HomeSearch Assistant, also dubbed Trojan/Startpage.HSA, along with ransomware anti-spyware SpySheriff. The Sunbelt post states the exploit takes place from 008k.com, IP 195.225.177.27 (links to go whois) at Netcathosting and recommends network admins and home users to block the site. Netcathosting is one of those ISP's known to host spyware, see yesterday's post. Sunbelt also posted a screenshot of the hijacked browser showing domain lookfor.cc (link to dnsstuff.com)  

The infected playlist file was detected by only one of the VirusTotal scanners as of 4:38 PM EST today. I wouldn't be at all surprised to hear of more infected Winamp playlist files.  The spyware pushers will use any and all exploits to further their dirty business. Users can thwart the dirty business in this case by updating Winamp and blocking the domains mentioned.