We've been monitoring for active attacks on the Windows Help and Support Center vulnerability (CVE-2010-1885) since the advisory was released on June 10th.  At first, we only saw legitimate researchers testing innocuous proof-of-concepts.  Then, early on June 15th, the first real public exploits emerged.  Those initial exploits were targeted and fairly limited.  In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution.  If you have not yet considered the countermeasures listed in the Microsoft Security Advisory (2219475), you should consider them.

As of today, over 10,000 distinct computers have reported seeing this attack at least one time.  Here are some details on the attacks we're seeing.

Geolocation

  • The largest targets in terms of attack volume have been the United States, Russia, Portugal, Germany, and Brazil.
  • A regional saturation rate, the number of attacked computers per a population of monitored systems (counted using a unique identifier), shows a slightly different picture.  In this aspect, Portugal has seen a much higher concentration of attacks - more than ten times the world-wide average per computer.  Russia is second at eight times the world-wide rate.

Attack Proliferation
Starting last week, we started seeing seemingly-automated, randomly-generated html and php pages hosting this exploit.  This attack methodology constitutes the bulk of attacks that have continued to flourish into this week.  The following chart shows the timeline of the proliferation:


Payloads of the Exploit
At first, the attacks seemed to focus on downloading Obitel, which is malware that simply downloads other malware.  However, most recently, downloads have run the gamut, varying in methodology (some direct downloads, but also some downloads involving single or double script redirects, which our products detect as TrojanDownloader:JS/Adodb.F and TrojanDownloader:JS/Adodb.G, and also varying in payload.  The following list shows some of the payloads we've detected:

Protection
In addition to the mitigations listed in the advisory, customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform have had coverage for this exploit since June 10th through the following two antimalware signatures:

Payloads are detected by the signatures mentioned above.

We’ll continue to monitor this situation and provide updates as appropriate.  Special thanks goes to Lena Lin, Rodel Finones, Chengyun Chu, and Chris Stubbs for doing detailed analysis on these attacks and how these exploits are attempting to deliver malware.

- Holly Stewart, MMPC