|
Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.
The following is a summary of the top five most-reported web exploits as a percentage of overall exploit occurrences for July 2006:
| Exploit |
% |
Description |
| Iframers Launcher Script |
26.11% |
Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer. |
| WebAttacker |
26.00% |
WebAttacker is a Russian-built software application, first introduced about 18 months ago, which currently launches four different exploits, including MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, it can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. Updated every few months, just like legitimate commercial software, only it is crimeware. Updated in July, most likely for bug fixes. |
| WMF (CVE-2005-2124) with known payload |
17.33% |
Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group. Seven months after Microsoft issued a patch, it’s still widely used by cybercriminals. |
| TriMode |
11.12% |
A launcher script discovered by Exploit Preventions Labs on May 23, 2006, TriMode is an encrypted script that attempts to launch three different exploits. |
| CreateTextRange (CVE-2006-1359) |
9.02% |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit appears to be in decline. |
Note: Numbers above do not add up to 100 percent, due to the following less-frequently reported exploits: IE Script Action Overload (4.57 percent), MDAC (3.51 percent), CHM (1.99) and Javascript window (.35 percent).
|
