One security analyst who requested anonymity said that it was more likely that those reports originated with IT administrators trying to do damage control. "Perhaps they applied the patch but it didn't take, thought they had the patch in place but didn't, or they didn't apply the patch at all but now say they did. It's easier to say 'there are some clever hackers out there' than to admit you got caught with your pants down."
An accounting of infected servers was provided Monday by Cyveillance, a vendor of online risk and management tools. As of Sunday, Cyveillance detected 641 sites that were infected by the malicious code.
The company used its June audit of more than 50 million domains to pinpoint the 6.2 million sites known to run IIS 5.0, then collected and analyzed pages from those sites to test for infection. If Cyveillance's numbers are on the money, that means fewer than one hundredth of 1% of the IIS 5.0 servers in use remained compromised Sunday.
The picture is clearer on the client side, where Internet Explorer 5.0 and 6.0 remain vulnerable to future iterations of this kind of malicious code delivery system. Last week's attack exploited two vulnerabilities in the browser, one known and patched, the other known but not yet fixed.
"This is huge," argued Dunham, whose company has traced the attack to a well-known group of hackers dubbed HangUP, based in Russia. HangUP "has a new trick in their bag to attack Internet Explorer users at will."