One the most common attack kits (that we see and block every day) is El Fiesta. It is frequently updated, and according to reports, pretty cheap.... generally a fair formula for success in any part of the software biz. It has a neat statistics page that keeps nice stats like which countries it has seen, and how many successes (or loads) it has managed in each country.
It also tracks the browsers it has seen, and tracks its successes against each browser. At the bottom of the statistics page, it shows how well it has done with each exploit.
The first interesting point here is that it shows 67 loads against FireFox 3.5, which is impressive, and even more interesting is that the summary shows two FF exploits ... a FF NS Local, and a FF Behavior.
This lead us to wonder what they might be, and in particular, just what was the FF Behavior trick?
At first, all we could get it to do was to throw fairly common PDF exploits at FireFox, which all failed, but then, after certain components were updated just right, we suddenly got this screen that wants to update the page....
Now, if you click ok for the update, and then run the update, you get this old friend ...
Gosh, you've got spyware.... whoda thunk it? Now, I'm not saying it's a great trick or anything, but as the stats page shows, it works. Remember, these guys don't want to cut down the apple tree... they just want to shake it, and pick up the apples that fall off.
We'll keep trying to figure out exactly how they're doing it, just for grins, but there are two other mysteries that we stumbled across while trying to solve this one, so we'll see what happens.