Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES APRIL EXPLOIT PREVALENCE SURVEY

Two New Exploit Packages Discovered, ANI Exploit Continues to Hit Hard

May 16, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), developer of the LinkScanner line of safe surfing software that protects against exploits, phishing, and other social engineering attacks, today released the results of its April 2007 Exploit Prevalence Survey™. Celebrating its one year anniversary this month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by LinkScanner users combined with data collected from all levels of the company’s multi-faceted research network.

“Cyber criminals hit the ground running in April,” noted Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey. “The ANI exploit that first hit the headlines at the end of March is proof that the bad guys are getting smarter and more sophisticated because it attacks fully patched machines. Even though Microsoft issued an emergency patch on April 3, it’s moved up from number four to number three this month, representing almost 12 percent of all exploit occurrences.”

Thompson’s team also uncovered two new exploit packages in April, both of which are being widely distributed across the Internet. One package, dubbed ‘WebAttacker 2.0’ by Thompson because it mimics the distribution model of earlier WebAttacker-driven exploits, entered the charts at number five with just over nine percent of all occurrences.

“There are no new exploits in the package,” Thompson said. “But it has new encryption and the important thing is that it is clearly being sold as a package, as was WebAttacker. We’ve called it WebAttacker 2.0 because of similarities, but we expect that time will eventually show the creators to be from a different group.”

The second package, known as NeoSploit, is a toolkit that launches an arsenal of prepackaged exploits specifically tailored for the user’s browser. Thompson believes that NeoSploit, even though it’s currently only registering a 2.1 percent share, is yet another demonstration of cybercriminals’ tenacity.

“We’ve been watching NeoSploit for some time, but it has only recently become clear that it, too, is being sold as a package. Both of these packages are incredibly easy to distribute through unsuspecting websites,” Thompson said. “Seeing two such packages surface in a single month gives us cause for concern that the bad guys’ efforts are escalating.”

Although April’s number one exploit, called “Link to known exploit site,” was new to the survey this month and registered 27.42 percent of all occurrences, according to Thompson it is not a particularly important exploit. “It’s not an exploit in the normal sense of the word,” Thompson said. “It is simply an attempt to link to a known exploitive site. There are many of these, and it’s the aggregation effect that has pushed them to the top.”

Rounding out the top five was Modified MDAC, down from March’s number one slot to this month’s number two position with just under 24 percent of all occurrences. Thompson suspects Modified MDAC originated from HD Moore’s month of browser bugs, and was then picked up by Chinese hackers. “Modified MDAC’s continuing strength supports the theory that the number of active cybercriminals in China is on the rise,” he said.

Exploit Prevention Labs also spent much of April working with Google and certain of that company’s clients after researchers at Exploit Prevention Labs uncovered hard evidence that cybercriminals had created Google AdWords campaigns to infect unsuspecting users with malware. One such attack was documented on video by Thompson and can be seen at http://www.youtube.com/watch?v=iD0wdzQb8XY .

“This kind of attack speaks to the level of cunning and sophistication of the bad guys,” Thompson said. “It’s a clear demonstration of the importance of keeping up to date on patches and using safe surfing software such as LinkScanner Pro.”

Also in April, security researchers from Google released a paper at a security conference in the U.K. that documented widespread prevalence of drive-by downloaded malware on web sites. The PDF of the report is available here: http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf

Exploit Prevalence Results for the Month of April 2007
The following is a summary of the top five most-reported web exploits for April 2007:

Exploit

Rank last month

Percent of Overall Occurrences

Description

Link to known exploit site

New

27.42 percent (new)

Not an exploit per se, Link to known exploit site is simply an attempt to link to a known exploitive site. There are several known sites and it is the aggregation effect rather than the actual potential for damage that has pushed it to the top of the list.
Modified MDAC 1 23.92 percent (40.38 previous) MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. An ActiveX control is instantiated inside a web script that allows files to be written to disk and executed.

ANI

4

11.9 percent (5.28 previous)

Originally discovered and used by a group of Chinese hackers, the exploit takes advantage of Windows’ handling of animated cursor (.ani) files. It infects fully patched Windows XP SP2 machines running IE 6 or 7.

Q406 Roll-up package

2

9.33 percent (19.24 previous)

Comprising up to a dozen exploits including Setslice, VML, XML and IE COM CreateObject Code, the package is usually heavily encrypted.

WebAttacker 2.0

New

9.1 percent (new)

A new pre-package of current exploits, WebAttacker 2.0 uses similar distribution methods to earlier WebAttacker output. Hackers can purchase the package on underground markets and use it just like commercial software.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: TROJAN FAKE CODEC (3.27% vs. 6.6%), Iframers launcher script (2.45% vs. 3.96%), NeoSploit (2.1% vs 0.32%), link to known Rootkitter (1.98% vs. 4.72%), others (6.96%)

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/.

About the LinkScanner Family of Safe Surfing Software

Exploit Prevention Labs offers a range of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.

The LinkScanner family of safe surfing products includes LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro (free 15-day trial: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits for Windows 2000, XP and Vista users running IE or Firefox browsers. LinkScanner Lite (http:// www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer and Firefox users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.

LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.

About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.