Exploit Prevention Labs Releases February Exploit Prevalence Survey

March 13, 2007; 05:55 AM
Exploit Prevention Labs (http://www.explabs.com), a leading developer of safe surfing software that protects against phishing, social engineering and other web-based exploits, today released the results of its February 2007 Exploit Prevalence Survey™. Now in its tenth month, the Exploit Prevalence Survey is the industry’s only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s multi-faceted research network.

Roger Thompson, CTO of Exploit Prevention Labs and author of the monthly Exploit Prevalence Survey, noted steady activity among cybercriminals in February. For the third consecutive month, the Q406 Roll-up exploit package captured the survey’s number one spot with 35.17 percent of all occurrences. The package’s overall occurrences dropped significantly from its 61.23 percent level in January, but not enough to surrender the number one position. The package consists of updated versions of exploits issued during the fourth quarter of 2006.

According to Thompson, the most common exploits in the package are Setslice, VML and XML, all of which were derived from proof-of-concepts released by HD Moore during his Month of Browser Bugs in September 2006. Also included in the package is the IE Com CreateObject exploit, originally released as a proof of concept in August, and which occupied November’s number one ranking with 30.45 percent of all occurrences.

The second most common exploit in February was CreateTextRange (cve-2006-1359), which more than doubled its occurrences from 8.45 percent in January to 19.62 percent. A buffer overflow attack, CreateTextRange affects Internet Explorer and has appeared a number of times in the Exploit Prevalence Survey.

“CreateTextRange refuses to go away,” Thompson said. “It remains one of the bad guys’ most reliable and effective exploits, even though Microsoft released a patch for it in April 2006. Its continuing strong showing indicates that many Internet Explorers users are not patching as diligently as they should.”

Rounding out the top five exploits were WebAttacker, a Russian-built software application with 13.88 percent of all occurrences; IE VML Overflow, a buffer overflow exploit that targets the Vector Markup Language feature of Internet Explorer, with 6.46 percent of all occurrences; and IE Com CreateObject code, a proof of concept that was released in August, with 5.98 percent of all occurrences.

Researchers at Exploit Prevention Labs are seeing increased cyber criminal activity emanating from Asia. “Historically, most organized cybercrime has been coming from Russia and other East European countries, but we’re now seeing a lot more activity in China,” Thompson said. “But regardless of where exploits are coming from, the problem is growing on a global scale. It’s vital for people to patch their system regularly and use added exploit-specific protection like LinkScanner.”

Exploit Prevalence Results for the Month of February 2007

The following is a summary of the top five most-reported web exploits for February 2007:

Note to media: Members of the media who would like to interview Roger Thompson about this survey may contact Tim Shisler of Dovetail Public Relations at 408-395-3600 or at xpl (at) dovetailpr (dot) com.

For additional background information on exploits and how to protect against them, visit Exploit Prevention Lab’s comprehensive Resource Center at http://www.explabs.com/about/resCenter/.

About the LinkScanner Family of Safe Surfing Software

Exploit Prevention Labs provides a complete family of safe surfing software to protect Internet users against malicious web sites, phishing, social engineering and other web-based exploits.

The LinkScanner family of safe surfing products include LinkScanner Pro™, LinkScanner Lite™, and LinkScanner Online. LinkScanner Pro™ (free 15-day evaluation: http://www.explabs.com/downloads/LSP), a $29.95 safe surfing Windows application, provides real-time, automatic protection against malicious web sites, drive-by downloads and other crimeware exploits.

LinkScanner Lite (http://www.explabs.com/downloads/LSL) is a free application that provides Internet Explorer users with real-time scanning of Google, MSN and Yahoo search results for web-based threats, as well as on-demand scanning of individual links.

LinkScanner Online, available at http://linkscanner.explabs.com, is a free real-time online URL scanning service that lets users know whether any individual site they intend to visit has been poisoned by an exploit distribution network. LinkScanner Online supports all major web browsers and is freely available for incorporation into third-party websites. Interested webmasters can request the code through Exploit Prevention Labs’ website at http://www.explabs.com/LinkScanner/MyLinkScanner/.

About Exploit Prevention Labs

Founded by information security veterans Bob Bales and Roger Thompson in 2005, Exploit Prevention Labs develops the LinkScanner family of safe surfing software and services. LinkScanner Pro, LinkScanner Lite and LinkScanner Online provide patent-pending protection against malicious web sites and web-based exploits during the critical risk window between the announcement of a security vulnerability and the provision of a patch by the vendor. A Software Development Kit (SDK) is also available to enable third party vendors to incorporate Exploit Prevention Labs’ technology in their own applications and services. More information about Exploit Prevention Labs and LinkScanner may be found on the company’s website at http://www.explabs.com.