Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES JULY EXPLOIT PREVALENCE SURVEY

Iframers Launch Surges to #1, Cyber Criminals Taking New Steps
to Elude Security Defenses and Blacklists

August 3, 2006 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), the leading developer of anti-exploit software, today released findings for its July 2006 Exploit Prevalence Survey™. Now in its third month, the Exploit Prevalence Survey is the first monthly survey to measure the top web-borne exploits based on real-world prevalence data. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ SocketShield anti-exploit software, combined with exploit distribution data captured from the company’s popular LinkScanner service and network of automated hunting-pots.

July’s data shows an increase in the overall prevalence of exploits; of particular note is the surge in Iframers Launcher Script use, taking it to the number one position accounting for 26 percent of reported exploits, up from the number three position in June with 16 percent. The Iframers Launcher Script is produced and distributed by the St. Petersburg, Russia-based cyber criminal organization known as the CoolWebSearch (CWS) gang – the same group responsible for the still-widespread WMF exploit that first appeared at the end of last year.

According to Roger Thompson, CTO of Exploit Prevention Labs and author of the Exploit Prevalence Survey, “Because our Intelligence Network operates in real-time, we’re able to keep track of the CWS gang’s activities, unlike the traditional safe surfing and blacklisting services.”

The WebAttacker launcher script, developed and sold by an underground software publisher also based in Russia, remained strong at nearly 26 percent of reported exploits, dropping slightly from its number one position in June when it accounted for 32 percent of reports. WebAttacker remains popular because it enables people with little technical knowledge to create and distribute exploits using a simple point-and-click interface. Although the developer issued an updated version of the script in July, most likely to address bug fixes, it continues to distribute the same suite of exploits as it did in June.

Incidences of the Windows Metafile (WMF) exploit, which appeared and spread rapidly at the end of 2005, bounced back up to the number three position with 17 percent prevalence in July from its number four position and 15 percent in June.

Thompson urged users to redouble their patching efforts. “Even though seven months have passed since Microsoft issued a patch for the WMF vulnerability, WMF’s continued strong showing in our surveys indicates that a significant number of users remain unpatched.”

The MDAC exploit continued to increase in prevalence, reaching 3.5 percent prevalence in July over 0.5 percent in June, although the number is likely much higher, since the WebAttacker launcher script also distributes the MDAC exploit.

Exploit Prevalence Results for the Month of July 2006
The following is a summary of the top five most-reported web exploits for the month of July 2006:

Exploit

Rank last month

Percent of Overall Occurrences

Description

Iframers launcher script

3

26.11 percent

Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia.  This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer.

WebAttacker

1

26.00 percent

WebAttacker is a Russian-built software application, first introduced about 18 months ago, which currently launches four different exploits, including MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, it can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. Updated every few months, just like legitimate commercial software, only it is crimeware.  Updated in July, most likely for bug fixes.

WMF (CVE-2005-2124) with known payload

4

17.33 percent

Windows Metafile exploit from December 2005.  Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware.  The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group.  Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals.

TriMode

5

11.12 percent

A launcher script discovered by Exploit Preventions Labs on May 23, 2006, TriMode is an encrypted script that attempts to launch three different exploits.

CreateTextRange (CVE-2006-1359)

2

9.02 percent

Released March 2006.  This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger.  Patched in April by Microsoft, this exploit appears to be in decline.

Note:  Numbers above do not add up to 100 percent, due to the following less-frequently reported exploits: IE Script Action Overload (4.57 percent), MDAC (3.51 percent), CHM (1.99) and Javascript window (.35 percent).

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Kerry Swanson or Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

What are Exploits?
Exploits are malware applications that take advantage of security vulnerabilities in common software applications such as Windows operating systems and browsers. Unlike traditional malware, such as viruses or trojans that are usually created by thrill-seeking individuals trying to cause chaos, exploits are part of a growing category of malicious and frequently for-profit applications used by international criminal cyber gangs.

Zero-day exploits, an especially dangerous form of exploit, are exploits for which no patches are yet available. Once software vulnerabilities are discovered, it typically takes the software developer anywhere from three weeks to six months to develop a patch, because the patches must be rigorously tested to ensure they don’t cause other system instabilities. On the other hand, exploit developers are not bothered by such concepts as quality assurance and application conflicts, and can release their code very quickly, often the same day a vulnerability is uncovered.

Most exploit infections occur by what’s known as a drive-by download, in which malicious code is force-downloaded onto a user’s computer without their knowledge. This occurs the moment the user visits a compromised web site, which may well appear completely innocuous. The payload, usually in the form of a rootkit, then exposes the user to damage from spyware, keyloggers, and other crimeware.
Many Internet users mistakenly believe as long as they’re not visiting pornographic or illegal file sharing sites, they’re safe from exploits. The truth, however, is that even trusted web sites cannot always be trusted.

Similar to the business model employed by spammers, the exploit distributors use a tiered distribution system, usually composed of a single master exploit server that controls a large network of servers hosting innocent-seeming web sites that in turn act as lures for unsuspecting visitors. Exploit Prevention Labs has discovered numerous exploit distribution networks in which up to 20,000 trusted and legitimate web sites had been hacked by cyber criminals who were using those sites to spread exploits.

When a surfer visits one of the sites, malicious code placed on the site silently connects to an exploit server operated by the criminals and attempts to deliver the drive-by download onto the user’s machine. If the web surfer is using an operating system or browser that is unpatched for the latest vulnerabilities, their machine is infected.

About SocketShield
SocketShield is the industry’s first reliable solution to protect Internet users against the growing threat of zero-day and other online exploits that target vulnerabilities in unpatched Windows applications.
SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits, because exploits enter within the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.

Free Trials
Free trial downloads of SocketShield are available from Exploit Prevention Labs’ web site at http://www.explabs.com. The product supports all 32- and 64-bit versions of Windows and requires minimal computing resources to operate. At the conclusion of the trial, users can purchase a license, including a one-year subscription covering unlimited software updates and online technical support, for $29.95. Volume discounts are available.

Exploit Prevention Labs also last month introduced LinkScanner, a free real-time url scanner that tells users whether a site they intend to visit has been poisoned by an exploit distribution network. LinkScanner is available at http://linkscanner.explabs.com.

About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against Web-based exploits. SocketShield, the company’s flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. Exploit Prevention Labs also offers the free LinkScanner url checker, the first produce developed from the company’s SocketShield Software Developers’ Kit (SDK). More information about Exploit Prevention Labs and SocketShield may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Kerry Swanson/Mark Coker
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.