Ben Abu said he found the exploit code for CVE-2010-0806 in-the-wild on the server www.topix21century.com, one of the domains used in the ongoing spear phishing attacks. The hacker indicated in a statement to ZDNet that he found the malicious page after browsing the domain that was mentioned by a McAfee blog post describing the targeted attack. After analyzing the attack, Ben Abu released a Metasploit module recreating the exploit and announced it via Twitter. Metasploit quickly integrated the module into their official repository, extending the armory of the point-and-click attack tool. Researchers of the G Data SecurityLabs were able to independently retrace the steps of the Israeli hacker and finally ended up with a working PoC-exploit.
The story of CVE-2010-0806 bears a certain similarity to the developments in the case of the targeted 'Aurora' attack where the exploit techniques were quickly adopted by the authors of web exploit kits for the use in massive web attacks.