So this is kind of interesting...
This domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains.
So the first point is that this was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.
The second point is that some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages. The exploit must have been pretty new. I wonder if any of the website operators will have the nerve to own up and tell us how they got nailed? Pigs might fly too.
The third point is how fast the victims are being cleaned up. If you google for uc8010(dot)com, you still get about 50k hits, but if you are running something like LinkScanner (something that can check out each of those sites in real time by crawling to them), you will see that although the google snapshot still shows them infected, LinkScanner shows that the majority of them are already clean. (Btw, what this means is that the cached copy is probably still infective, so don't go testing it out yourself unless you know what you're doing)
The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.
Stay safe folks!
Chief Research Officer
Labels: uc0810 CA MDAC