Exploit Prevention Labs
Home
  Products
  Threat Center
  Support
  About Us
  Media Center
  Contact Us
 
Quick Links
In the News
Press Releases

 

 
Media Center

Press Releases

EXPLOIT PREVENTION LABS RELEASES SEPTEMBER EXPLOIT PREVALENCE SURVEY

IE VML Exploit Explodes on the Scene, Accounts for 45 Percent of Attempted Exploits, Marks Escalation of Cyber Criminal Efforts to Attack Unpatched Computer Users

October 9, 2006 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), the leading developer of anti-exploit software, today released findings for its September 2006 Exploit Prevalence Survey™. Now in its fifth month, the Exploit Prevalence Survey is the first monthly survey to measure the top web-borne exploits based on real-world prevalence data. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ SocketShield anti-exploit software, combined with exploit distribution data captured from the company’s popular LinkScanner online URL scanning service and network of automated hunting-pots.

“After a relatively quiet three months, the release of the IE VML exploit represents a significant escalation in the tactics used by cyber criminals to attack unpatched computer users,” said Roger Thompson, CTO of Exploit Prevention Labs and the manager of the monthly Exploit Prevalence Survey. “Within a day or two of Microsoft’s Patch Tuesday release on September 12, cyber criminals launched a massive coordinated zero day attack, possibly the largest zero-day attack in recent history.”

The IE VML Overflow exploit easily captured the number one position in the September Exploit Prevalence Survey, accounting for 45 percent of all attempted exploits. The number is especially significant considering the exploit was released mid-month, which indicates that real-world prevalence on a relative basis was actually higher.

According to Thompson, the IE VML zero-day exploit was released at the same time as another zero-day exploit, the second one affecting the popular Linux web hosting management software application, cPanel. Therefore, a Linux zero-day exploit was used to distribute a Windows zero-day exploit. The cPanel zero-day explains how over 300 web sites hosted by the large Florida web-hosting firm, Host Gator, were hacked to distribute the IE VML exploit. While numerous other hosting firms were affected, Host Gator was most forthcoming in disclosing the hack.

Of further interest, according to Thompson, is that unlike most previous zero day attacks that were perpetrated by a single cyber gang, the IE VML exploit was apparently perpetrated by two, possibly even three or four separate groups, who coordinated this large-scale simultaneous zero-day attack.

“The sophisticated coordination among different cyber criminal organizations indicates that the author of the exploit probably sold the exploit to multiple organizations, and successfully orchestrated a controlled simultaneous release which caught Microsoft and most of the computer security industry completely off guard.”

The actual prevalence of the IE VML exploit is likely higher than is suggested by the raw survey data, since the WebAttacker launcher script, which until September attempted to load four different exploits, added the IE VML exploit into its arsenal within days of its release. WebAttacker was the number two most prevalent exploit for the month of September, accounting for approximately 14 percent of reports.

MDAC on the Rise; New Variant Discovered
Although overshadowed somewhat by the IE VML exploit, the MDAC exploit, which Exploit Prevention Labs has been following closely for several months, experienced a strong upsurge in prevalence, rising to the number three position in this month’s survey versus number seven the prior month. MDAC accounted for 12.40 percent of exploit reports compared to 6.7 percent the prior month. In early September, Researchers at Exploit Prevention Labs discovered a new version of the MDAC exploit, which was quickly adopted and deployed by cyber criminals. Roger Thompson covered the discovery in his blog at http://explabs.blogspot.com/2006/09/its-not-ms06-042its-new-and-improved.html. Although Microsoft issued a patch for the original MDAC in April, Internet Explorer users who are not patched with the most recent Microsoft August security update remain vulnerable to the latest version of this widely used exploit.

SecurityResearchers Monitoring Spread of New setSlice Exploit

Although not captured in the survey data, on Friday September 29, a new zero-day exploit named setSlice was released in the wild. Microsoft has not issued a patch for the exploit. The lack of a patch underscores the challenge Microsoft and other application software vendors face when struggling to protect their users against swarms of multiple zero-day exploits released in close succession.

Cyber Criminals Use Malicious eCard Greetings to Spread Exploits, Steal Bank Account Info

The other interesting highlight of the month, possibly signaling further escalation in the exploit distribution tactics used by cyber criminals, was Exploit Prevention Labs’ discovery that criminals were spamming malicious eCard greetings that used driveby downloads to force-install keyloggers onto the unpatched computers of unsuspecting users. The keyloggers in turn were used to steal bank account numbers, passwords and credit card data.

Exploit Prevalence Results for the Month of September 2006

The following is a summary of the top five most-reported web exploits for the month of September 2006:

Exploit

Rank last month

Percent of Overall Occurrences

Description

IE VML Overflow

New

45.33 percent (new)

A buffer overflow exploit in the Vector Markup Language feature of the Internet Explorer browser that allows execution of arbitrary code. Security researchers believe it was released on the 13 th or 14 th of September, right after Patch Tuesday on the 12 th. The exploit affects most versions of IE. Microsoft issued an out-of-cycle patch September 27.

WebAttacker

1

14.38 percent (30.36 previous)

WebAttacker is a Russian-built software application, first introduced about 19 months ago, which currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML exploit, was released on Exploit Wednesday (the day after Patch Tuesday).

MDAC

7

12.40 percent (6.69 previous)

Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed.

CreateTextRange (CVE-2006-1359)

5

7.79 percent (8.40 previous)

Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat.

Iframers launcher script

2

6.48 percent (16.81 previous)

Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: WMF (5.16 % vs. 15.78 previous), Orphaned lures (3.62 % vs. 9.78 previous), Trimode (2.74 % vs. 7.38 previous), GromSploit (2.09 % vs. 4.80 previous).

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/index.html.

About SocketShield and LinkScanner

SocketShield (free trial: http://www.explabs.com/ss/trial.html) is the industry’s first reliable solution to protect Internet users against the growing threat of zero-day exploits and malicious web sites that target vulnerabilities in unpatched Windows software.

SocketShield provides a critical layer of security that complements the defenses provided by traditional security solutions. Firewalls cannot stop exploits, because exploits enter within the trusted communications stream of the user’s browser connection. Anti-virus and anti-spyware applications can’t protect against exploits because they must wait for the malware code to hit the hard disk in order to detect it, and by that time most exploits have already executed their payload. Patch management systems can’t distribute a patch until the application vendor releases it. And patching as a general practice, while critical, often fails because it relies on users taking action of their own volition.

LinkScanner is a free real-time URL scanner that tells users whether a site they intend to visit has been poisoned by an exploit distribution network. LinkScanner is available at http://www.explabs.com/linkscanner/.

About Exploit Prevention Labs

Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops security software to protect against Web-based exploits and malicious web sites. SocketShield, the company’s flagship product, provides patent-pending protection against zero-day exploits during the critical risk window between the announcement of a vulnerability and the provision of a patch by the vendor. Exploit Prevention Labs also offers the free LinkScanner url checker that determines whether or not a web site is distributing exploits. More information about Exploit Prevention Labs and SocketShield may be found on the company’s website at http://www.explabs.com.

###

Media Contact:
Tim Shisler
Dovetail Public Relations
408.395.3600
xpl@dovetailpr.com

 
Home  |  Products  |  Support  |  About Us  |  Privacy Policy  |  Affiliate Program
Copyright © 2008 Exploit Prevention Labs. All rights reserved.