Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer. Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs. So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249 by ESET antivirus. We have also identified more than 220 unique distribution points for the exploit code, mostly located in Asia. The countries which are seeing the majority of the attacks are China, Korea and Taiwan.
To sum up, if you happen to browse to a web page delivering the latest CVE-2010-0249 exploit code, and if you haven’t patched and are not using an up to date antivirus, you will end up with 8 different pieces of malware on your PC within seconds.
This evolution in the usage of the exploit code follows the natural course we have observed over the last couple of months. Exploits for high profile vulnerabilities are usually used at first by a very few attackers against specific targets. When details of the exploit become public, malware operators integrate the code in their toolbox and use it to infect as many users as possible.
Author Pierre-Marc Bureau, ESET