Press Releases
EXPLOIT PREVENTION LABS RELEASES INDUSTRY’S
FIRST EXPLOIT PREVALENCE SURVEY
Monthly Survey Identifies the Most Prevalent Web-Based Exploits
June 8, 2006 – Atlanta, GA – Exploit Prevention Labs, the leading developer of anti-exploit software, today released findings from its Exploit Prevalence Survey™, the industry’s first monthly survey to measure the rise of Internet-borne exploits and zero-day attacks.
Exploits are a new tool being used by international cyber criminal organizations that take advantage of security vulnerabilities in common software applications such as Windows operating systems and browsers. Most infections occur by what’s known as a drive-by download, in which malicious code is force-downloaded onto a user’s computer without their knowledge. This occurs the moment the user visits a compromised web site, which in itself likely appears completely innocuous. The payload, usually in the form of a downloader, then exposes the user to damage from spyware, keyloggers, rootkits and other crimeware.
“Many users mistakenly believe as long as they’re not visiting pornographic or illegal file sharing sites, they’re safe from exploits,” said Roger Thompson, CTO of Exploit Prevention Labs and chief researcher for the monthly Exploit Prevalence Survey. “Sadly, our research indicates that even trusted web sites can no longer be trusted.”
Recently, Exploit Prevention Labs analyzed the distribution network established by just one cyber criminal organization and found that it was using a network of 40 domains, each of which had an average of 500 lure websites linking into it, giving it a reach of 20,000 trusted web sites that were acting as lures for innocent web surfers. The operators of these web sites were probably completely unaware that their sites had been hacked. When a surfer visits one of the sites, malicious code placed on the site silently connects to an exploit server operated by the criminals and attempts to deliver the drive-by download onto the unsuspecting user’s machine. If the web surfer is using an operating system or browser that is unpatched against the latest vulnerabilities, their machine will be infected.
Exploit Prevalence Survey Methodology
The results of the monthly Exploit Prevalence Survey are derived from automated reports by users of Exploit Prevention Labs’ SocketShield anti-exploit software (free trial download at http://www.explabs.com), who have agreed to have their SocketShield installations report all suspected exploit attempts back to the researchers at Exploit Prevention Labs. SocketShield users form an integral component of Exploit Prevention Labs’ Intelligence Network, which utilizes patent-pending technology to deliver protection against new Internet-borne exploits, often within minutes of their release.
Results of First Exploit Prevalence Survey
The following is a summary of the most-reported Internet exploits for the month of May 2006:
Exploit |
Percent of Overall Occurrences |
Description |
WMF (CVE-2005-2124) with known payload |
33.0% |
Windows Metafile exploit from December 2005. Uses a little known feature of windows Metafiles to execute arbitrary code, such as malware. A genuine zero day attack allegedly purchased for $5,000 from a Russian hacking group. It’s interesting that four months after Microsoft issued a patch, it’s still the number one exploit being used by cyber criminals. |
WebAttacker |
24.71% |
WebAttacker is a Russian-built software application that generates web based exploits. Can be purchased on underground hacker web sites for between $20 and $300, and it requires minimal technical sophistication to operate. Updated every few months, similar to a commercial applications, only it’s crimeware. |
CreateTextRange (CVE-2006-1359) |
20.74% |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader, a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, but still popular. |
Iframers launcher script |
18.44% |
Propogated by a cyber crime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia, These are the guys responsible for the Circuit City hack in early June 2006. Utilizing a simple HTML tag called an IFRAME, the visitor’s web browser reaches out to an exploit server operated by the gang and attempts to deposit up to eight different exploits onto the user’s computer. |
IE Script Action Overload |
3.11% |
Internet Explorer exploit from March 2006. This came out two days before the CreateTextRange exploit was released. This exploit has possibly been abandoned as impractical by cybercriminals in favor of CreateTextRange, which has proven more popular. |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Kerry Swanson of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
Exploits Evolve Beyond Traditional Viruses, Trojans and Spyware
Unlike traditional malware, such as viruses or trojans, that are largely created by thrill-seeking individuals trying to cause chaos, zero-day exploits are part of a growing category of malicious and frequently for-profit applications used by international criminal cybergangs. Similar to the business model employed by spammers, the exploit distributors use a tiered distribution system, usually composed of a single master exploit server that controls a large network of servers hosting innocent-seeming web sites which in turn act as lures for unwitting visitors. Simply by visiting the site, users are silently infected with exploit code through a drive-by download.
About SocketShield
SocketShield is the industry’s first reliable solution to protect Internet users against the growing threat of drive-by downloads, zero-day attacks, malicious web sites, and other crimeware exploits that target vulnerabilities in unpatched Windows applications. These exploits install a wide variety of malware onto users’ computers, usually in the form of a rootkit that protects the malware from detection by existing security measures. The rootkit and accompanying malware then enable the exploit distributor to perpetrate crimes such as identity theft, extortion, fraud, and espionage.
SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits because exploits enter through the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.
SocketShield Free Trial Available
SocketShield is now available for free 15-day trials from Exploit Prevention Labs’ web site at http://www.explabs.com. The product supports all 32- and 64-bit versions of Windows and requires minimal computing resources to operate. At the conclusion of the 15-day trial, users can purchase a license, including a one-year subscription covering unlimited software updates and online technical support for $29.95. Volume discounts are available.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against vulnerability exploits. SocketShield, the company's flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. More information about Exploit Prevention Labs and SocketShield may be found on the company's website at www.explabs.com.
Media Contact:
Kerry Swanson/Mark Coker
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com
|
