Just after the Adobe and French CERTA advisories, I wanted to talk a lil bit about the website that is said to host the Adobe 0day.
Here is Adobe's advisory:
http://www.adobe.com/support/security/advisories/apsa10-01.html
According to Symantec (see: http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-060601-3020-99, the suscpicious website is:
google-analytics. dynalias.org.
It quite clearly seems to be a fake Google Analytics portal. Not sure that it does steal user's credentials anyway...
Please note that :
- Netcraft did not warn about it (at the time of writing)
- IronPort does not detect it
- Secure Computing (trustedsource.org) does not detect it
- Firefox 3.6 does not tell anything
- internet Explorer 8 neither
and a very few AV vendors are said to be able to detect the PDF...
Here is what the website looks like:
The IP address 180.149.252.136 is apparently located in Hong Kong... see:
http://www.robtex.com/dns/google-analytics.dynalias.org.html
and blacklisted at least once!
So I strongly recommend to remain prudent with that domain.
