Exploit Prevention Labs | LinkScanner - Keep Your Surfing Safe

•	Threat Center Home
•	April 2007 Prevalence Report
•	March 2007 Prevalence Report
•	February 2007 Prevalence Report
•	January 2007 Prevalence Report
•	December 2006 Prevalence Report
•	November 2006 Prevalence Report
•	October 2006 Prevalence Report
•	September 2006 Prevalence Report
•	August 2006 Prevalence Report
•	July 2006 Prevalence Report
•	June 2006 Prevalence Report

Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.

The following is a summary of the top five most-reported web exploits as a percentage of overall exploit occurrences for May 2007:

Exploit	%	Description
Modified MDAC	32.90 percent (23.92 previous)	MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. An ActiveX control is instantiated inside a web script that allows files to be written to disk and executed.
MPack	12.80 percent (9.10 previous)	MPack is a set of professionally written php scripts that are being sold as a package and using similar distribution methods to earlier WebAttacker output. Hackers can purchase the package on underground markets and use it just like commercial software. The two most dangerous exploits inside the package are believed to be WinZip FileViewCtrl ActiveX dll and ANI.
ANI	12.80 percent (11.90 previous)	Originally discovered and used by a group of Chinese hackers, the exploit takes advantage of Windows’ handling of animated cursor (.ani) files. At the time of its release into the wild, the ANI exploit infected fully patched Windows XP SP2 machines running IE 6 or 7. Microsoft released an emergency patch on April 3, but the exploit continues to attack unpatched machines.
Q406 Roll-up package	6.80 percent (9.33 previous)	Comprising up to a dozen exploits including Setslice, VML, XML and IE COM CreateObject Code, the package is usually heavily encrypted.
IE Com CreateObject code	5.00 percent (0.08 previous)	IE Com CreateObject was originally released in August 2006 as a proof of concept. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk.

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: TROJAN FAKE CODEC (4.40% vs. 3.27%), WMF (CVE-2005-2124) with known payload (4.20% vs. 2.45%), Search engine hijack (4.0% vs 2.1%), others (17.1%)