As out-of-band patches are released today, we are not yet seeing memory corruption attacks targeting these newly patched vulnerabilities that effect Internet Explorer 6,7, and 8. Nonetheless, be sure to visit the Microsoft updates site and patch your system soon.
while name = navigator.plugins[i].name
if((name.indexOf(”Adobe Acrobat”) != -1) || (name.indexOf(”Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(”Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(”Flash”) != -1) then iframe src=”cache/flash.swf
The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into:
ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.