Over the past few days I've noticed a trend on UrlQuery that shows scores of Ampersanded commands in the web queries. These ampersanded commands are intended to run a query, but by flooding the web browser with the commands it may be possible to inject an IFRAME into some browsers. Check out this search parameters for "&amp;amp;amp;amp" at UrlQuery here.
I visited one of these sites with an Invincea protected web browser to see if I would be exploited. I was. Here is the event timeline.
In this instance, a process and a local share was injected via a single pixel IFRAME. Other sites with similar ampersanded queries lead to blackhole exploits, toolbar downloads or other malware delivery.
The good news is that Security Analytics / NetWitness can easily detect these ampersanded overflows. Just create a new capture rule on the decoders. Name the Rule "Ampersanding Overflow WebQuery"
Rule Contents are: query contains '&amp;amp;amp;amp;'
Good Luck and Happy Hunting!