Operation Aurora: Further activity - copycat sites

As previously predicted, copycat attacks attempting to exploit the IE zero day vulnerability (CVE-2010-0249) were inevitable.

Though numbers are still very low, over the past 24 hours or so we have seen a few sites serving up malicious code attempting exploit the vulnerability. Sophos products are blocking the content as Troj/ExpJS-N.

For the sites that are still active, the payloads are another Mal/PcClient variant being blocked as Mal/Generic-A, and a downloader Trojan being pro-actively detected as Mal/BredoPk-B.

SophosLabs will continue monitoring the situation, but as previously described, take this opportunity to review your general approach to web security and ensure your security product is correctly configured to take full advantage of the buffer overflow and runtime protection provided in the Sophos endpoint product. And as Chet noted yesterday, stay alert for the patch which Microsoft have announced they will release ahead of the regular monthly cycle.

Posted on January 20th, 2010 by Fraser Howard, SophosLabs UK
Filed under: Exploits, General, Vulnerabilities, Web

Free virus scan - Download the Threat Detection Test

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.