Press Releases
EXPLOIT PREVENTION LABS RELEASES
EXPLOIT PREVALENCE SURVEY FOR MONTH OF JUNE
WebAttacker Use on the Rise, Cyber Criminals Build out Distribution Networks
July 10, 2006 – Atlanta, GA – Exploit Prevention Labs, the leading developer of anti-exploit protection, today released findings for its Exploit Prevalence Survey™ for the month of June. The Exploit Prevalence Survey, which debuted on June 8, is the industry’s first monthly survey to measure the top web-borne exploits based on real-world prevalence data. The survey results are derived from automated reports submitted by users of Exploit Prevention Labs’ SocketShield anti-exploit software in addition to information captured from the company’s network of hunting-pots. A free trial download of the SocketShield software is available at http://www.explabs.com.
Among the key findings, WebAttacker-generated exploits rose to the number one position, accounting for 32 percent of reported exploits in June compared to 24 percent in May. Incidences of the Windows Metafile (WMF) exploit, which appeared and spread rapidly at the end of 2005, dropped to the number four position from number one in the previous month, accounting for only 15 percent of reported exploits in June compared to 33 percent in May.
According to Roger Thompson, CTO of Exploit Prevention Labs and author of the survey, the WebAttacker script, which criminals use to distribute and launch exploits, may be increasing in popularity because it requires little technical knowledge for the criminals to operate, while the WMF exploit may have declined because users have now had six months to patch for it.
“We are keeping a particularly close eye on the Web Attacker-generated MDAC exploits, which are actually more prevalent than is reflected by the data,” adds Thompson. “We've found four separate MDAC scripts so far and fully expect that number to increase over the coming weeks.”
The overall prevalence of exploits, according to Thompson, remained fairly steady in June compared to May, primarily because there have been few major software vulnerabilities discovered since March of this year. But this current calm should not be cause for complacency.
Despite the relatively unchanged landscape, Thompson believes the cyber criminals are prepared to take advantage of the next big vulnerability discovery. “There are multiple exploit distribution networks on the web that control tens of thousands of “lure” web sites, all of which are being used to distribute malware by drive-by download to unpatched PCs,” says Thompson. “Once the next big vulnerability is discovered and an exploit is written for it, the bad guys can quickly introduce it to their networks.”
In a further development, July has been designated a “Month of Browser Bugs” by security researcher, HD Moore. Through his Metasploit project, he has been stockpiling browser bugs, and is planning to release one each day for the month of July. He says that most will be for Internet Explorer, with a handful for other browsers. Thompson said, “The first few seem to be nothing more than browser crashers, but it will be interesting to see how many of them end up being exploitable, and if they are, how many end up being used by the bad guys.”
Exploit Prevalence Results for the Month of June 2006
The following is a summary of the top five most-reported web exploits for the month of June 2006:
Exploit |
Rank last month |
Percent of Overall Occurrences |
Description |
WebAttacker |
2 |
32.09 percent |
WebAttacker is a Russian-built software application, first introduced about 18 months ago, which currently launches four different exploits, including MDAC, one Firefox exploits, CreateTextRange and an exploit for the Java virtual machine. Like a commercial software application, it can be purchased on underground hacker web sites for between $20 and $300, and it requires minimal technical sophistication to use. Updated every few months, just like legitimate commercial software, only it’s crimeware. |
CreateTextRange (CVE-2006-1359) |
3 |
19.49 percent |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, but still popular. |
Iframers launcher script |
4 |
16.34 percent |
Propagated by a cyber crime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. These are the guys responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an IFRAME, the visitor’s web browser is redirected to an exploit server operated by the gang which attempts to deposit up to eight different exploits onto the user’s computer. |
WMF (CVE-2005-2124) with known payload |
1 |
15 percent |
Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The first genuine zero-day attack, allegedly purchased for $5,000 from a Russian hacking group. It’s interesting that, four months after Microsoft issued a patch, it’s still widely used by cyber criminals. |
TriMode |
NEW ENTRY |
10.27 percent |
A launcher script discovered by Exploit Preventions Labs on May 23, 2006. An encrypted script that attempts to launch three different exploits. |
Note: Numbers do not add up to 100 percent, due to the following less-frequently reported exploits: IE Script Action Overload (4.08 percent), MDAC (.58 percent), Firefox ms06-06 (.35 percent) and Javascript window (.12 percent). |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Kerry Swanson of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
What are Exploits?
Exploits are malware applications that take advantage of security vulnerabilities in common software applications such as Windows operating systems and browsers. Unlike traditional malware, such as viruses or trojans that are usually created by thrill-seeking individuals trying to cause chaos, exploits are part of a growing category of malicious and frequently for-profit applications used by international criminal cyber gangs.
Zero-day exploits, an especially dangerous form of exploit, are exploits for which no patches are yet available. Once software vulnerabilities are discovered, it typically takes the software developer anywhere from three weeks to six months to develop a patch, because the patches must be rigorously tested to ensure they don’t cause other system instabilities. On the other hand, exploit developers are not bothered by such concepts as quality assurance and application conflicts, and can release their code very quickly, often the same day a vulnerability is uncovered.
Most exploit infections occur by what’s known as a drive-by download, in which malicious code is force-downloaded onto a user’s computer without their knowledge. This occurs the moment the user visits a compromised web site, which may well appear completely innocuous. The payload, usually in the form of a rootkit, then exposes the user to damage from spyware, keyloggers, and other crimeware.
Many Internet users mistakenly believe as long as they’re not visiting pornographic or illegal file sharing sites, they’re safe from exploits. The truth, however, is that even trusted web sites cannot always be trusted.
Similar to the business model employed by spammers, the exploit distributors use a tiered distribution system, usually composed of a single master exploit server that controls a large network of servers hosting innocent-seeming web sites that in turn act as lures for unsuspecting visitors. Exploit Prevention Labs has discovered numerous exploit distribution networks in which up to 20,000 trusted and legitimate web sites had been hacked by cyber criminals who were using those sites to spread exploits.
When a surfer visits one of the sites, malicious code placed on the site silently connects to an exploit server operated by the criminals and attempts to deliver the drive-by download onto the user’s machine. If the web surfer is using an operating system or browser that is unpatched for the latest vulnerabilities, their machine is infected.
About SocketShield
SocketShield is the industry’s first reliable solution to protect Internet users against the growing threat of zero-day and other crimeware exploits that target vulnerabilities in unpatched Windows applications.
SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits because exploits enter within the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.
SocketShield Free Trial Available
Free 15-day trials of SocketShield are available from Exploit Prevention Labs’ web site at http://www.explabs.com. The product supports all 32- and 64-bit versions of Windows and requires minimal computing resources to operate. At the conclusion of the 15-day trial, users can purchase a license, including a one-year subscription covering unlimited software updates and online technical support, for $29.95. Volume discounts are available.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against vulnerability exploits. SocketShield, the company's flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. More information about Exploit Prevention Labs and SocketShield may be found on the company's website at www.explabs.com.
Media Contact:
Kerry Swanson/Mark Coker
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com
|
