Except for the “Russian-text-email-with-malware” that’s been going around for a week now, everything is quiet. And on the russian email, we’ve captured quite a lot, with almost the same text (no, i can’t read russian but i can *almost* compare the characters), and either trojan downloaders or worms as an attachment. Check out WORM_ARESES.B and TROJ_DROPPER.AYW(to name one dropper. there are quite a few of them).
Back to the original “quiet-slow-april” premise…
Yep, quite quiet (that’s an anagram right there!). No “massive-worm-outbreak” (as is the norm nowadays), no “remote-very-dangerous-0-day-for-Windows-ala-RPC-DCOM”, no “April-Fools-Day-malware”, no “Malware-seen-by-F-Secure-Kaspersky-and-Trend-and-posted-on-their-respective-blogs”, no new thing on ISC – internet Storm Center (except for the Horde exploit, of which we have yet to acquire a sample).
What about the CreateTextRange for IE – Internet Explorer? What about it?
Well, in my opinion, it wasn’t that dangerous than say, the WMF one. One reason is, the CreateTextRange exploit that was in-the-wild consumed LOTS of CPU resources (dare I say 100%?) and would hang the browser (if not the system), while waiting for the correct address to trigger. If the user was on dial-up, I’d have to wait a few minutes before the exploit would trigger and if I was the user, if my IE hanged, I’d just close it and restart it.
No chance for the exploit to execute. And if I was on a faster line, IE would hang for say… 20-30 seconds? And still that depends on the speed of the machine. Can’t quite remember how long it took for my test system to execute the shellcode, but still, 20 seconds is quite a long time to wait if you expect your connection to be fast.
Although someone created a Proof-of-Concept that did not consume tons of CPU resources, the thing is, it still required some time to trigger (thus bypassing the CPU resource, but increasing the time to execute). By then, the user will have changed to another page, or closed IE – Internet Explorer. (Oh well, that’s just me though.) If you want to know why the CreateTextRange exploit needed time to execute, try researching on “IE Heap-spraying Skylined”.