 |
Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.
The following is a summary of the top five most-reported web exploits as a percentage of overall exploit occurrences for November 2006:
| Exploit |
% |
Description |
IE COM CreateObject Code |
30.21 percent (New) |
A proof of concept that was released in August, IE Com CreateObject. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk. |
WebAttacker |
20.33 percent (31.90 previous) |
WebAttacker is a Russian-built software application, first introduced about 20 months ago, which currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML exploit, was released on Exploit Wednesday (the day after Patch Tuesday). |
| setSlice |
16.26 percent (new) |
Released during the month of browser bugs, setSlice was set out into the wild on September 29. An Internet Explorer vulnerability that allows an attacker to execute arbitrary code. |
WMF (CVE-2005-2124) with known payload |
7.20 percent (4.47 previous) |
Windows Metafile exploit from December 2005. Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware. The first genuine zero-day attack, allegedly purchased for $5,000 from a Russian hacking group. It’s interesting that, four months after Microsoft issued a patch, it’s still widely used by cyber criminals. |
Iframers launcher script |
6.26 percent (4.01 previous) |
Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer.
|
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: MDAC (4.50% vs. 12.99 % previous), IE VML overflow (4.0% vs. 10.79%), GromSploit (2.60% vs. 5.39% previous), Orphaned lures (3.40% vs. 4.15 % previous), Tri-Mode (1.4% vs. 6.32% previous) and others (4.0 %)
|
