McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 


McAfee Research Blog

Update on Recent Microsoft 0day (CVE-2010-0249)

January 20th, 2010
Posted by Craig Schmugar

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

  • Artemis!629E2332CFDA – Generic PWS.y!bsk
  • Artemis!78043EBA321B – PWS-Mmorpg!la
  • Artemis!911BCF95C022 – PWS-OnlineGames.gx
  • Generic Downloader.x!coe
  • Generic Dropper!byp
  • Generic PWS.y!bsk
  • PWS-Mmorpg!la
  • Suspect-02!50CB7D4BB04E – Generic Dropper.hi
  • Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
  • Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
  • Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.