So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.
For the time being, cybercriminals chose to generate less noise by launching targeted attacks just like they did earlier this week using IE7's MS09-002 vulnerability. However, as we've previously seen it's only a matter of time until copycat attackers start using it on a large scale.
With several targeted campaigns currently active, what are the chances that a sample malware campaign would be once again monetizing infected hosts by infecting them with rogue security software similar to Conficker's first release? Huge.
- Go through related incidents using Adobe exploits: MSN Norway serving Flash exploits through malvertising; CNET’s Clientside developer blog serving Adobe Flash exploits; Rigged PDFs exploiting just-patched Adobe Reader flaw
Upon analyzing the binary served once an infected host gets successfully exploited from a sample campaign, it's attempting to trick the user into install the very latest rogue security software Spyware Protect 2009. The cute part is that the cybercriminals didn't manage to successfully configure their campaign resulting in a 404 error.
What's important to point out is that the original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider (js001.3322.org) with more details about its owner available in a related BusinessWeek article.