Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: CVE-2010-0249 in the wild
From: Marc Maiffret <marc () marcmaiffret com>
Date: Fri, 22 Jan 2010 19:57:58 -0800

And one has to wonder what exactly it means if anything that some of
the exploits involved are dropping malware that installs and
manipulates your web browsing experience to be geared towards
Sogou.com, a distasteful Google knock off in China. More than that
though they even install Sogou Explorer which appears to be a Google
Chrome like, but yet again clunky, knock off.

So is it attackers that just happen to really love Sogou and want to
share it with the world? Criminals doing it to make money off of Sogou
browser install referral programs? (If they have such a thing.)
Chinese company looking to expand its market share through hacking?
And if so is there government support for such a program? And if so
again then how does Baidu feel about that? Or something else entirely
making this a completely moot point to begin with? Inquiring minds
want to know...

It is funny to me the hax0r cool biological warfare (since people love
to compare the two, bleh.) aspect of these attacks originating,
supposedly, from a country whose population is more susceptible to
compromise than that of the target. That is of course at least more
easily susceptible given the prevalence and reliability of IE 6
exploits vs. other IE versions. With China having an estimated 60%[1]
of browsers on IE6 vs. 12% in the U.S. Not to imply further as to a
country being the culprit. In that vein though you do have to find the
irony that unlike physical warfare, where a dropped bomb is a dead
bomb,  here in cyberspace you can drop a bomb that can then be tossed
back at you more effectively than your original.

Signed,
Marc Maiffret
Chief Security Architect
FireEye, Inc.
http://www.FireEye.com

[1] - http://gs.statcounter.com/#browser_version-CN-daily-20080701-20100119-bar

On Fri, Jan 22, 2010 at 2:41 PM, exploit dev <extraexploit () gmail com> wrote:
Hi to all,

i have just updated the list of URL that spreading stuff through
cve-2010-0249. If you are interested check:

http://extraexploit.blogspot.com/2010/01/cve-2010-0249-in-wild-xx2228866org-and.html

--
http://extraexploit.blogspot.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault