Microsoft's Security Advisory (2887505), regarding a vulnerability in Internet Explorer, was issued just over two weeks ago. We added exploit detection soon thereafter. At the time, Microsoft reported that exploitation of the vulnerability was in limited use.
Since then, evidence of attacks on Japanese targets via media sites has surfaced.
And in the last week, our customer upstream data indicates limited use within Taiwan.
Most importantly, there is now Metasploit support for CVE-2013-3893. So it's only a matter of time before it's added to popular exploit kits such as Blackhole. If not this week, then almost certainly a day or two after Microsoft releases its patch next Tuesday.
We recommend avoiding IE (if possible) until it's updated. If you manage a network, Microsoft has a Fix it tool available.
In March of this year, researchers on Symantec's Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the world's largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.
A very commendable effort!
Ross Gibb and Vikram Thakur are presenting a paper about lessons learned at this year's Virus Bulletin.
Unfortunately, the bulk of ZeroAcess is still with us…
