Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).

But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.

The lab is currently seeing a spam run pushing a PDF exploit.

The emails look like this:

   From: random addresses
   To: random recipients
   Subject: New Resume
 
   Please review my CV, Thank You!
 
   Attachment: resume.pdf

Well, well… looks like someone has been singing along to one of Jay Chow's songs while coding an exploit that corresponds to a vulnerability in Internet Explorer, which was addressed in Microsoft Security Bulletin MS10-018. The exploit that targets on the Peer Object component (iepeers.dll) in IE has been found in the wild, and today it was detected while attempting to exploit on the client browser.

After decoding from a shellcode, it will download the payload and will be detected as Trojan:W32/KillAV.LD.

This past week, we posted some of Cutwail’s recent spamming activity. As we were digging into the elevated levels of Cutwail activity, the researchers over at Shadowserver posted on the unusual SSL traffic originating from infected hosts.

Spam continues to clog the internet with providers reporting spam stuffing 80% – 95% of all email content en route. It’s an ongoing problem into 2010, so last week we examined the active spambot Tedroo, some of its suspicious behaviors, one of its anti-debug/antiRE techniques, and its spam delivery.

As a followup to our early Jan Bredolab email blast warning, this post presents technical details and functionality about the payload accompanying the delivery notice + invoice attachment.

Microsoft recently announced a new vulnerability in certain versions of its Internet Explorer web browser. If exploited, the vulnerability (CVE 2010-0249) can allow remote code execution.

Announcement of this vulnerability follows on the heels of last week's targeted zero-day attacks against a number of companies.

We have located the first iPhone worm, dubbed as Ikee. It's currently spreading in the wild, but it's only able to infect devices that have been "jailbroken" by their owners. Jailbreaking removes iPhone's protection mechanisms, allowing users to run any software they want.

Affected users will find that their iPhone wallpaper has been altered to a picture of Rick Astley (of Rickroll fame) and the message "ikee is never going to give you up".

The cybercriminal gangs developing and distributing Zbot have been highly active recently, as seen here and here, so let’s dig into the code again.

Unfortunately, a lot of people didn’t realize that the email and attachment we posted yesterday was not really from “The Facebook Team”. ThreatFire users were protected from the Bredolab downloader and its Zbot payload, and it’s a good thing too. Here is some information on who fell for it by country: