Operation Aurora: Further activity – copycat sites

As previously predicted, copycat attacks attempting to exploit the IE zero day vulnerability (CVE-2010-0249) were inevitable.

Though numbers are still very low, over the past 24 hours or so we have seen a few sites serving up malicious code attempting exploit the vulnerability. Sophos products are blocking the content as Troj/ExpJS-N.

For the sites that are still active, the payloads are another Mal/PcClient variant being blocked as Mal/Generic-A, and a downloader Trojan being pro-actively detected as Mal/BredoPk-B.

SophosLabs will continue monitoring the situation, but as yesterday, stay alert for the patch which Microsoft have announced they will release ahead of the regular monthly cycle.