Press Releases
EXPLOIT PREVENTION LABS RELEASES OCTOBER EXPLOIT PREVALENCE SURVEY
WebAttacker Rises to #1 in Rankings, Accounting for 32 Percent of Reported Exploit Attempts
November 27, 2006 – Atlanta, GA – Exploit Prevention Labs (http://www.explabs.com), a leading developer of safe surfing software for protection against web-based exploits, today released findings for its October 2006 Exploit Prevalence Survey™. Now in its sixth month, the Exploit Prevalence Survey is the industry’s definitive survey measuring the top web-borne exploits based on real-world prevalence data. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s multi-faceted research network.
Although overall October was a relatively quiet month for exploits, Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, sees an interesting cyclical trend developing.
“Like a tidal surge that crashes to shore and then slowly ebbs back to sea,” says Thompson, “the exploit underworld is characterized by manic flurries of activity accompanying new attacks followed by periods of quiet. Consequently, following their successful IE VML Overflow exploit in September, we believe the cybercriminals are now laying the groundwork for a new round of attacks...”
WebAttacker, which has bounced among the top slots of the Exploit Prevalence Survey for six months, rose to the number one exploit position for the month of October. WebAttacker is a full-fledged exploit generator sold online in the underground communities and updated frequently to help its criminal customers take advantage of newly discovered security vulnerabilities. The most recent update appeared in early October and added support for September’s WebViewFolderIcon setSlice exploit.
Capturing the number two spot in October was the CreateTextRange exploit, up from its number four position the previous month.
MDAC, which Exploit Prevention Labs has been following closely for many months, rose to the number three position, accounting for 13 percent of all exploit reports, up from under four percent the previous month. This escalation is likely attributable to a new variant discovered by researchers at Exploit Prevention Labs that renders some security patches ineffective.
The IE VML Overflow exploit, which burst on to the scene in September and grabbed the top spot in the last survey, dropped in October to the number four position, accounting for 11 percent of exploit reports compared to 45 percent the month before.
Although absent from the top five since the July survey, Trimode saw renewed strength during the month, landing in the top five and accounting for six percent of exploit reports.
Exploit Prevalence Results for the Month of October 2006
The following is a summary of the top five most widely-reported web exploits for the month of October 2006:
Exploit |
Rank last month |
Percent of Overall Occurrences |
Description |
WebAttacker |
2 |
31.90 percent (14.38 previous) |
WebAttacker is a Russian-built software application, first introduced about 20 months ago, which currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML exploit, was released on Exploit Wednesday (the day after Patch Tuesday). |
CreateTextRange (CVE-2006-1359) |
4 |
15.87 percent (7.79 previous) |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat. |
MDAC |
3 |
12.94 percent (12.40 previous) |
Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. |
IE VML Overflow |
1 |
10.79 percent (45.33 previous) |
A buffer overflow exploit in the Vector Markup Language feature of the Internet Explorer browser that allows execution of arbitrary code. Security researchers believe it was released on the 13th or 14th of September, right after Patch Tuesday on the 12th. The exploit affects most versions of IE. Microsoft issued an out-of-cycle patch September 27. |
TriMode |
8 |
6.32 percent (2.74 previous) |
A launcher script discovered by Exploit Preventions Labs on May 23, 2006. An encrypted script that attempts to launch three different exploits. |
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: GromSploit (5.39% vs. 2.09% previous), WMF (4.47% vs, 5.16% previous), Orphaned lures (4.31% vs. 3.62% previous), Iframers launcher script (4.01% vs. 6.48% previous) and others (4%) |
Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.
For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/.
About the LinkScanner Family of Safe Surfing Software
Exploit Prevention Labs provides a complete family of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.
The LinkScanner family of safe surfing products include LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro™ (free 30-day evaluation: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing Windows application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits.
LinkScanner Lite (http://www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links. Support for Firefox and other browsers and search engines is in development.
LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned by an exploit distribution network. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.
###
Media Contact:
Tim Shisler/Julie Parayno
Dovetail Public Relations
408.395.3600
xpl at dovetailpr.com
|
