Press Releases
EXPLOIT PREVENTION LABS RELEASES JUNE EXPLOIT PREVALENCE SURVEY
TROJAN FAKE CODEC Returns after Two-Month Hiatus, Modified MDAC Holds Strong
July 17, 2007 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), developer of the LinkScanner line of safe surfing software that protects against exploits, phishing, and other social engineering attacks, today released the results of its June 2007 Exploit Prevalence Survey™. Now in its fourteenth month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by LinkScanner users combined with data collected from all levels of the company’s multi-faceted research network.
Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, noted steady levels of activity during June. Modified MDAC — a creative method of using certain ActiveX controls in a context Microsoft did not originally intend - remained in the number one slot for a second consecutive month, a position it first attained in February of this year. According to Thompson, the exploit has been demonstrating impressive staying power, even though a patch was released by Microsoft some months ago.
Capturing the number two position with 21 percent of all occurrences was TROJAN FAKE CODEC, a Russian social engineering scam that targets web users trying to watch online movies of Paris Hilton, Britney Spears and other celebrities. Before the user can watch the movie, they’re asked to download what appears to be a simple codec - the piece of code that enables streaming video to be displayed on a computer - but which is in reality a malicious rootkit. The user, meanwhile, is watching the movie and has no idea they have been infected by a drive-by download.
“This is the first time we’ve seen the TROJAN FAKE CODEC since its initial strong showing in March,” Thompson said. “The recent increase in incidences serves to remind us that the bad guys are always trying new angles of attack. Of course, the recent flurry of media focus on Paris Hilton probably helped, too.”
In the number three position was the widely distributed MPACK exploit, which is believed to have infected more than 350,000 innocent websites. When a user visits an MPACK-infected page, the exploit sends a script that determines if any vulnerabilities in the user’s browser or operating system can be exploited. If it finds any, it will exploit them and store various statistics for future reference.
“MPACK is popular because like WebAttacker, the toolkit for this exploit is being sold and supported as a packaged, ready-to-use exploit generator,” said Thompson. “The toolkit can be purchased for as little as a few hundred dollars on underground hacker exchanges, and enables the bad guys to easily create and distribute exploits.”
June’s fourth and fifth most prevalent exploits were IE Com CreateObject code with 7.4 percent of all occurrences, and CreateTextRange at 4.96 percent. “The continuing appearance of these two exploits in the survey is testament to the number of PCs that remain unpatched,” Thompson said.
The biggest surprise in June, according to Thompson, was the sharp decline of the Q406 Roll-up package, which had dominated the survey since the package’s debut in January. “When we originally analyzed the package, it was heavily encrypted, making it difficult to differentiate,” said Thompson. “We’re thinking that the bad guys may have tried to make this exploit too complicated and ruined it in the process. But I’m sure we’ll see variations of it in the future.”
In other news, Thompson has been regularly posting lists of unsafe search terms on his blog (http://explabs.blogspot.com/). Disturbingly, many of the searches were for everyday phrases, including:
- “watch movies for free” ... WebAttacker2/ MPack.
- “wallpaper” ... WebAttacker2/MPack
- “Arches National Park” … MPack
- “go karts” - MDAC exploit
“A simple search can send users to trusted web sites that have been exploited, or redirect their clicks via an exploit-infected site,” said Thompson. “It’s vital for people to patch their system regularly and use added exploit-specific protection like LinkScanner.”
Exploit Prevalence Results for the Month of June 2007
The following is a summary of the top five most-reported web exploits for June 2007:
Exploit |
Rank last month |
Percent of Overall Occurrences |
Description |
| Modified MDAC |
1 |
32.80 percent (32.90 previous) |
MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. An ActiveX control is instantiated inside a web script that allows files to be written to disk and executed. |
TROJAN FAKE CODEC |
6 |
21.00 percent (4.40 previous) |
This Russian social engineering tactic tricks people into downloading a rootkit by misinforming them they are downloading a simple codec when they attempt to view a video of Paris Hilton, Britney Spears or other celebrity videos. |
| MPack |
2 |
9.10 percent (12.80 previous) |
MPack is a set of professionally written php scripts that are being sold as a package and using similar distribution methods to earlier WebAttacker output. Hackers can purchase the package on underground markets and use it just like commercial software. The two most dangerous exploits inside the package are believed to be WinZip FileViewCtrl ActiveX dll and ANI. |
IE Com CreateObject code |
5 |
7.40 percent (5.00 previous) |
IE Com CreateObject was originally released in August 2006 as a proof of concept. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk. |
CreateTextRange |
10 |
4.96 percent (1.07 previous) |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat. |
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: Search engine hijack (3.74% vs. 4.0%), iFramers Launcher Scrip (3.46% vs 1.8%), WMF (CVE-2005-2124) with known payload ((3.07% vs. 4.20%) others (14.47%) |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Threat Center at http://www.explabs.com/ss/threatCenter.asp.
About the LinkScanner Family of Safe Surfing Software
Exploit Prevention Labs offers a range of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.
The LinkScanner family of safe surfing products includes LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro (free 15-day trial: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits for Windows 2000, XP and Vista users running IE or Firefox browsers. LinkScanner Lite (http:// www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer and Firefox users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.
LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.
###
Media Contact:
Tim Shisler
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com
|
