Thare are two developments worth mentioning.
First is that we are detecting increased usage of MS07-027. (MS07-027 patched several vulnerabilities, but the one we're seeing in use involves a dll called MDSAUTH which apparantly allows arbitrary file writing). The critical think about this is that it was only patched on May 8th, however, and the proof of concept code was released and available almost immediately, and it is certainly being used by the Chinese gangs. These guys have a habit of hacking large numbers of innocent websites and turning them into unwitting lures.
The second is that we are seeing _lots_ of activity involving the MPack exploit package (what we used to call WebAttacker 2). There are clearly large numbers of hacked websites involved here, and the exploit code works really well. This is the package that we've talked about before, and which contains lots of different exploits. The most dangerous are probably WinZip, because there is no automatic upgrade path for WinZip, and many people will still be using a vulnerable version, and the April 2007 animated cursor exploit, simply because it's so new. Many corporates will not be patched to April.
Labels: webattacker mpack