Unfortunately it was only a matter of time. Until today the latest Adobe 0-day vulnerability (CVE-2010-1297) had only been used in targeted attacks. That changed a few hours ago when we started seeing mass injections adding the following URL to thousands of pages around the world:
As in the targeted attack scenario we blogged about two days ago our customers are protected by our Websense ACE technology whereas the AV community still has not caught up. The attack itself uses five different files:
y[REMOVED]o.js - the initial file that loads up an invisible iframe to i[REMOVED].html, detection 0/41 (0.00%). Also loads a statistics file that is not malicious.
i[REMOVED].html - loads l[REMOVED]g.txt and a[REMOVED]ey.swf to launch the exploit, detection 3/40 (7.50%)
l[REMOVED]g.txt - contains the shellcode needed for the exploit to work, detection 0/40 (0.00%)
a[REMOVED]ey.swf - contains a Flash file with the exploit, detection 2/41 (4.88%)
l[REMOVED]g.exe - the actual malware that is downloaded, detection 24/41 (58.53%)
The attack is closely related to the hxxp://ww.robint.us/[REMOVED].js attack earlier this week that our friends at Sucuri blogged about, where the common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the new mass injection attack still have the robint.us code present. Below is a video of how the attack works and what happens on a user's computer.
Adobe released a patch for this vulnerability yesterday and we advise all users to download it immediately. Remember, if you use both Internet Explorer and another browser you have to do this twice. Once for IE and a second time for all other browsers.