Q406 Roll-up package

70.90 percent (new)

Comprised of up to a dozen exploits, the most common are setSlice, VML, XML, and (IE COM) Createcomobject Code. The package is usually heavily encrypted making it difficult to single out individual exploits.

MDAC

5.70 percent (4.50 previous)

Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed.

CreateTextRange (CVE-2006-1359)

4.50 percent (<1.0 previous)

Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat.

Iframers launcher script

3.60 percent (6.26 previous)

Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer.

WMF (CVE-2005-2124) with known payload

2.70 percent (7.20 previous)

Windows Metafile exploit from December 2005.  Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware.  The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group.  Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals.