Mike over at the research lab gave me a link to a Fiesta exploit pack he found running. Fiesta is an exploit pack sold for around $850 on the black market and contains around 25 different exploits. It contains many exploits however the exploit that is most effective in this pack is the Adobe PDF exploit.

The exploit pack is used to provide “loads”. This is slang for malware distribution. What will happen in practice is, webmasters of high traffic sites (mainly porn etc) send traffic to a certain page on another server, example: (www.blah123.com/infect/index.php) This might be done in an Iframe. The victims browser will then iterate through a series of exploits, to see if they are vulnerable to any of them.

At present Fiesta 2.4 contains the follow exploits:

• PDF
• PDF VIS
• Divx
• nsILocalFile
• Yahoo Messenger
• Realtek
• ntaudio
• creative
• MSIE CollectGarbage
• Microsoft IE COM objects
• SnapShot
• Fwb Downloader
• Microsoft Works Image Server
• Facebook PhotoUploader
• MSIE Speech
• Microsoft Data Access Component
• Microsoft WebViewFolder
• GomWeb ActiveX
• OurGame GlieDown2 ActiveX BO
• ARCserve Backup ActiveX
• America Online Super Buddy ActiveX
• Opera 9 - 9.21
• XMLHTTP
• QuickTime

I thought it would be interesting to monitor the progress of the exploit until the server gets shut down. (we have reported it)

Below is a screenshot taken of the current status of the admin panel @ 03:15am GMT 09/12/2008

on the left hand side you can see which countries have been targeted, followed by which service packs/operating systems. As you can see this is the stats for one day alone. 237 users were directed to the interface, out of those, 29 got infected. I'll keep you posted as the numbers change.

At present that’s a 12% ratio of target to infection.

MSIE v6.0 and v7.0 is by far the most targeted browser sharing a healthy 50% each of the traffic. (MSIE v6.0, obviously bringing in 98% of the infected users)

So - 8 hours later... The total number of possible victims passed to the exploit framework is 3944.

So some highlights as follows:

MSIE6.0 - 1422 possible victims - 427 Infections - 30.0% Target to Infection Ratio

MSIE7.0 - 1547 possible victims - 103 Infections - 06.65% Target to Infection Ratio

MSIE8.0 - 13 possible victims - 1 Infection

The other browsers are largely irrelevant, because there were so few other targets.

Poland is the top infected country, Followed by Russia.

We've seen a big increase since our last post, where the amount of infected machines has doubled, and the total traffic pushed to the exploit pack has been increased a lot.

The numbers however, remain mostly the same in terms of percentage Target to Infection Ratio.

They are currently fluctuating between 29% and 31% for MSIE6 and 6% - 7% for MSIE7.

Also interesting to note that the chance of a Russian user getting infected is twice as high as the chance a Polish user of getting infected (18% vs 9%).

Below the screenshots...