Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES MARCH EXPLOIT PREVALENCE SURVEY

Chinese Hackers Take Over the Number One Slot, ANI Exploit Hits Hard in Final Days of March

April 23, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), developer of the LinkScanner line of safe surfing software that protects against exploits, phishing, and other social engineering attacks, today released the results of its March 2007 Exploit Prevalence Survey™. Now in its eleventh month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s multi-faceted research network.

March’s most notable development occurred toward the end of the month, on March 28, when a zero-day exploit that takes advantage of how Windows handles animated cursor (.ani) files was discovered. The so-called ANI exploit attacked fully patched Windows XP SP2 machines running IE 6 or 7 and was successful enough to land the number four slot on the prevalence survey with only four days of distribution.

“The ANI exploit is a sophisticated attack,” Thompson said. “We believe it first originated in China, with the relatively benign goal of stealing World of Warcraft (WoW) passwords. But within days, bad guys from around the world had picked it up and begun enhancing it for more nefarious purposes.” At the end of March, Microsoft announced they would be releasing an emergency patch in the first week of April.

In other news, a modified MDAC exploit, also originating in China, secured the number one position in March with 40.38 percent of all occurrences, supporting Thompson’s belief that a global shift is taking place.

“We’re now seeing a rapid rise in the number of active cybercriminal groups in China looking to profit from exploits,” Thompson said. “It started with January’s Super Bowl attack, and now the technical sophistication of Chinese exploit code is easily on a par with code coming out of the US and Russia.”

March’s second most common exploit was the still-widespread Q406 Roll-up package, accounting for 19.24 percent of new exploit reports. The package had dominated the survey since it debuted in December 2006.

Coming in third with six percent of all occurrences was the TROJAN FAKE CODEC, a social engineering scheme devised by Russian cybergangs.

“The big Russian gangs are finding new ways to trick people,” Thompson said. “Tactics include targeting web users who are trying to watch an online movie of Paris Hilton or Britney Spears. But before they can watch the movie, they’re asked to download what appears to be a simple codec, which in actuality is a malicious rootkit. Unfortunately, the innocent user has no idea they’ve just been infected.”

Rounding out the top five, after a two month hiatus from the list, is the old Windows Metafile (WMF) exploit, first released back in December of 2005. Even though the exploit was patched over a year ago, newer variants continue to find victims.

According to Thompson, the constant barrage of new and old exploits means people should be extra vigilant about protecting their systems and updating them as soon as patches are available. “Realistically, the exploiters are always going to be a step ahead of the application vendors - Microsoft fast-tracked their ANI patch, but it still took more than a week to develop, test, and distribute. So unless you were using an added layer of security like LinkScanner, there’s no guarantee you’ll be safe from the bad guys.”

Exploit Prevalence Results for the Month of March 2007

The following is a summary of the top five most-reported web exploits for March 2007:

Exploit

Rank last month

Percent of Overall Occurrences

Description
Modified MDAC New 40.38 percent (New variant) MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. This MDAC is a modified version that originated in China.

Q406 Roll-up package

2

19.24 percent (35.17 previous)

Comprising up to a dozen exploits including Setslice, VML, XML and IE COM CreateObject Code, the package is usually heavily encrypted.
TROJAN FAKE CODEC New 6.60 percent (new) This Russian social engineering tactic tricks people into downloading a rootkit by misinforming them they are downloading a simple codec when they attempt to view a video of Paris Hilton or Britney Spears.
ANI New 5.28 percent (New) Originally developed by the group of hackers behind the Super Bowl World of Warcraft password stealer, the exploit takes advantage of Windows’ handling of animated cursor (.ani) files. It infects fully patched Windows XP SP2 machines running IE 6 or 7

WMF (CVE-2005-2124) with known payload

 7 5.28 percent (4.55 percent) Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group. Many months after Microsoft issued a patch, it’s still widely used by cybercriminals.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: link to know Rootkitter (4.72% vs. new), IE VML Overflow (4.15% vs. 0.48), Iframers launcher script (3.96% vs. 4.78%), Search Engine Highjack (3.40% 4.07%), others (6.96%)

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/ss/threatCenter.asp.

About the LinkScanner Family of Safe Surfing Software

Exploit Prevention Labs offers a range of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.

The LinkScanner family of safe surfing products includes LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro (free 15-day trial: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits for Windows 2000, XP and Vista users running IE or Firefox browsers. LinkScanner Lite (http:// www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer and Firefox users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.

LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.

About Exploit Prevention Labs

Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.