http://blogs.technet.com/robert_hensing/archive/2008/02/13/secureworks-team-cymru-solve-the-mystery-of-the-mega-d-trojan.aspxJoe Stewart is the man . . . I have a ton of respect for him and everyone at Team Cymru. They teamed up to find the C&amp;C for the Mega-D trojan and Joe has done another one of his excellent write-ups here: http://www.secureworks.com/research/threats/ozdok/?threat=ozdoken-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/robert_hensing/archive/2008/02/13/secureworks-team-cymru-solve-the-mystery-of-the-mega-d-trojan.aspx#2891877Fri, 15 Feb 2008 01:14:39 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2891877Mike Dimmick<p>Given how few people actually seem to update Java, QuickTime, Adobe Reader, Flash etc on a regular basis, it doesn't have to be zero-day.</p> <p>I recently discovered that installing new Java Runtimes (JREs) does not block off access to old ones - a web page can request a specific version and if installed, it will load, EVEN IF IT IS VULNERABLE. This germ of information came from Secunia's Personal Software Inspector (<a rel="nofollow" target="_new" href="https://psi.secunia.com/">https://psi.secunia.com/</a>).</p> <p>Keeping the OS up to date is no longer really a problem. Keeping the web browser updated is harder, if it's not shipped with the OS. Keeping plugins updated seems to be very hard indeed.</p> <p>If you're interested in keeping your system secure, ditching Adobe Reader for the apparently less vulnerable (though probably much less targetted) Foxit Reader seems like a good idea.</p>