Internet Explorer 0-day targeted in spam runs

Filed Under: SophosLabs, Spam, Vulnerability

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).

Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

  • the tried and tested "delivery failed, please confirm address details" messages
  • request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.

Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.

The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, or added as Troj/Dloadr-CYS.

SophosLabs will continue monitoring for new attacks looking to exploit this vulnerability. In the interim, aside from keeping your protection up to date, take note of the following from the Microsoft announcement:

Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected.

If you are an IE user and have not yet upgraded to version 8, take a hint! It is strongly recommended that you do so. Aside from not being affected from this particular issues, there are a whole bundle of other security related features you are missing out on otherwise.

The SophosLabs vulnerability assessment page for the IE 0-day vulnerability will be updated accordingly.

You might like

One Response to Internet Explorer 0-day targeted in spam runs

  1. Rain G · 1261 days ago

    I was infected on Friday when I opened a web page that said, "dino, dino, dan. O was looking for a download for my son. I head about a pop up on a screen when you open email or web pages so when I opened it I knew they got me. In red flashing box were the words, "its your Lucky Day"

    I don't have a mobil connection or internet at home just when I am at work. My computer is only a month old. Microsoft 2010 installed and the anti-virus installed. I thought I was ok. This is nasty. It was in my system right away and started slowing down the OS. Deverted to microsoft 7. Turned the screen white so I couldn't see. They maid themselves the system Admin under the computers name. Next thing I notice the wi fI is on. I don't have WI fI. I live in the country. Ok weird. Spooky. I run the rescue disk I have of Kelsper and it won't take it. My 6 year old son says something is happening to his computer too. I turned it on and sure enough another adminstrator installed DARE WARE. And a Cisco icon is on my desktop. Our PDA's ( blackberry and Iphone)were infected too. I took the sim cards out. Not sure but I think they scrubbed my husbands and started copying files and folderd. One large data file ended up on my other computer. I even checked my sons Wii. 256 pages of games had been copied and a Game Cube connected remotly to upload the files. Not sure where to go from here. Went to Geek Squad. They think I'm Wacko. Said a Virus is like a infection. It can move from devise to devise if your not online. And they can't go in Phones or Wii's. Well it is and it did. I showed him in the manual. He said the only way my wii was hacked is if I did it myself. What a jerk.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s