The new IE zero-day attacking is immediately used in targeted attacks.In the past few days, we have captured a number of samples derived from the version published on rec-sec website.
As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a compromised website.
The detailed analysis about this malware can be seen from our system.
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188). 
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab
(exploits lab ? If it is really, I also want to join too.. 
". However, in new version of exploit, we can’t find the string of Yuange.
As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.
Recently, we have captured many PDF files from Chinese hackers (Exploit CVE-2010-0188), and our private Automatic Malware Analysis System could inspect such exploit files and analyze Malware.
There are two case studies to share you guys:
閱讀全文…
