Microsoft Releases Data on Windows Zero-Day Attacks
Microsoft reported June 30 that more than "10,000 distinct computers" have been attacked at least once using the Windows vulnerability uncovered in June by Google engineer Tavis Ormandy.
The flaw, which lies in the Windows Help and Support Center function and affects Windows XP and Windows Server 2003, has been increasingly under attack by cyber-criminals since being publicly disclosed last month.
"At first, we only saw legitimate researchers testing innocuous proof-of-concepts," said a post on the Microsoft Malware Protection Center blog. "Then, early on June 15th, the first real public exploits emerged. Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution."
Some data from Microsoft:
â¢ The United States, Russia, Portugal, Germany, and Brazil have been "the largest targets in terms of attack volume."
â¢ In terms of the "number of attacked computers per a population of monitored systems," Portugal has experienced the highest "concentration of attacks -- more than 10 times the worldwide average per computer. Russia is second at eight times the worldwide rate."
"At first, the attacks seemed to focus on downloading Obitel, which is malware that simply downloads other malware," Microsoft said. "However, most recently, downloads have run the gamut, varying in methodology (some direct downloads, but also some downloads involving single or double script redirects, which our products detect as TrojanDownloader:JS/Adodb.F and TrojanDownloader:JS/Adodb.G, and also varying in payload. The following list shows some of the payloads we've detected:
â¢ Trojan:Win32/Swrort.A â¢ TrojanDownloader:Win32/Obitel.gen!A â¢ Spammer:Win32/Tedroo.AB â¢ Trojan:Win32/Oficla.M â¢ TrojanSpy:Win32/Neetro.A â¢ Virus:JS/Decdec.A"
The vulnerability remains unpatched, but users can apply the mitigations and workarounds in the advisory here.