Reverse Engineering An Attack by Exploit CAN-2004-0380

2004-05-19 : I was surfing the net, not clicking on anything bad, when suddenly I got a crash dialog from a spyware app. Checking my task list, sure enough I suddenly had a bunch of spyware apps running! I quickly unplugged from the net, then set about to discover what had happened. Was it a worm spreading on the corporate intranet? Nope. It turned out to be a web-page based remote code execution exploit, CAN-2004-0380. My guess is that an ad server was compromised, causing the exploit to be run on every client to which it served an ad. Here are my notes as I tracked down how my machine was attacked. It turns out that the patch had been released in April, but my company had chosen not to install it yet.

Moral: It is imperative you keep up with the security patches!

My raw notes.

C o m m e n t s :    
(nothing yet)