Exploit Prevention Labs | LinkScanner - Keep Your Surfing Safe

•	Threat Center Home
•	February 2007 Prevalence Report
•	January 2007 Prevalence Report
•	December 2006 Prevalence Report
•	November 2006 Prevalence Report
•	October 2006 Prevalence Report
•	September 2006 Prevalence Report
•	August 2006 Prevalence Report
•	July 2006 Prevalence Report
•	June 2006 Prevalence Report

Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.

The following is a summary of the top five most-reported web exploits as a percentage of overall exploit occurrences for March 2007:

Exploit	%	Description
Modified MDAC	40.38 percent (New variant)	MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. This MDAC is a modified version that originated in China.
Q406 Roll-up package	19.24 percent (35.17 previous)	Comprising up to a dozen exploits including Setslice, VML, XML and IE COM CreateObject Code, the package is usually heavily encrypted.
TROJAN FAKE CODEC	6.60 percent (new)	This Russian social engineering tactic tricks people into downloading a rootkit by misinforming them they are downloading a simple codec when they attempt to view a video of Paris Hilton or Britney Spears.
ANI	5.28 percent (New)	Originally developed by the group of hackers behind the Super Bowl World of Warcraft password stealer, the exploit takes advantage of Windows’ handling of animated cursor (.ani) files. It infects fully patched Windows XP SP2 machines running IE 6 or 7
WMF (CVE-2005-2124) with known payload	5.28 percent (4.55 percent)	Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The exploit, a genuine zero-day attack, was allegedly purchased for $5,000 from a Russian hacking group. Many months after Microsoft issued a patch, it’s still widely used by cybercriminals.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: link to know Rootkitter (4.72% vs. new), IE VML Overflow (4.15% vs. 0.48), Iframers launcher script (3.96% vs. 4.78%), Search Engine Highjack (3.40% 4.07%), others (6.96%)