|
Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.
The following is a summary of the top five most-reported web exploits as a percentage of overall exploit occurrences for September 2006:
| Exploit |
% |
Description |
| IE VML Overflow |
45.33% |
A buffer overflow exploit in the Vector Markup Language feature of the Internet Explorer browser that allows execution of arbitrary code. Security researchers believe it was released on the 13 th or 14 th of September, right after Patch Tuesday on the 12 th. The exploit affects most versions of IE. Microsoft issued an out-of-cycle patch September 27. |
| WebAttacker |
14.38% |
WebAttacker is a Russian-built software application, first introduced about 19 months ago, which currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online – but on underground hacker web sites - for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML exploit, was released on Exploit Wednesday (the day after Patch Tuesday). |
| MDAC |
12.40% |
Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. |
| CreateTextRange (CVE-2006-1359) |
7.79% |
Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat. |
| Iframers Launcher Script |
6.48% |
Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor’s web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user’s computer. |
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: WMF (5.16%), Orphaned lures (3.62%), Trimode (2.74%), GromSploit (2.09%).
|
