Cisrt hack

Hi folks,

The most interesting part of this story has been poorly reported, as far as we can see, and that is that at least two of the many exploits being fired by the exploit servers in this hack are brand new! (0-days by some definitions, but probably more correctly Undercover Exploits)

One exploit impacts the Baidu Soba searchbar, (Apparently Baidu is a popular Chinese search engine, and they make a searchbar) which isn't going to impact non-Chinese users too much, but given that CISRT is the Chinese Internet Security Response Team, there's a fair chance it got a bunch of local victims before it was cleaned up.

The second new exploit seemingly targets another third-party toolbar. It's not 100% clear at this point, but the clsid seems to be the OcSearchAssistant (spyware) searchbar. This is kind of funny, because it means it was targetting stuff that was probably installed by slightly nefarious means in the first place. I thought there was honor among thieves.

These bring to four the number of new 3rd party dll exploits in use for the first time, in just about one month. It seems an idea that is Catching On (tm).

The third under-reported side to this is the sheer complexity of the encryption being used to obfuscate the exploits. We have still not decrypted some of them, so there could well be more surprises to be found.

Cheers

Roger