On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability (CVE-2010-0806) affecting Internet Explorer 6 and 7 (Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible).  As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers.  We’ve been tracking exploit attempts against this vulnerability since then, working with MSRC to monitor the state of attacks.

When proof-of-concept code became available in public exploit testing tools on March 10 and by March 12, the attack landscape escalated.  Mitigating signatures providing protection for this issue are: Exploit:JS/CVE-2010-0806 and Exploit:JS/Mult.CR.  These signatures protect customers through Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform.

Targets have spanned over 50 countries, but the most frequently targeted computers have been in China and Korea, with the US trailing a distant third place:

image

Unprotected users are susceptible to infection when they browse to a malicious Web page that attempts to exploit this vulnerability.  If the exploit is successful, a number of malware families may be installed on the victim’s computer.  The majority of malware downloaded after a successful exploit  are trojans.

Some of the variants we have seen are:

Trojan:Win32/Wisp

TrojanDropper:Win32/Lisiu

TrojanDropper:Win32/Agent.gen!I

TrojanDownloader:Win32/Small.gen!AZ

Backdoor:Win32/Agent.FS

TrojanDropper:Win32/Frethog

Like the lifecycle of most vulnerabilities, we expect the threat landscape to mellow with the release and adoption of updates and protection.  We encourage you to apply Microsoft Security Bulletin MS10-018 as soon as possible and install an anti-virus solution, such as Microsoft Security Essentials, to protect yourself from these threats. You can also get free virus-related assistance from Microsoft through Microsoft Help and Support.

-Holly Stewart, MMPC