Exploit Prevention Labs | LinkScanner - Keep Your Surfing Safe

•	Threat Center Home
•	July 2007 Prevalence Report
•	June 2007 Prevalence Report
•	May 2007 Prevalence Report
•	April 2007 Prevalence Report
•	March 2007 Prevalence Report
•	February 2007 Prevalence Report
•	January 2007 Prevalence Report
•	December 2006 Prevalence Report
•	November 2006 Prevalence Report
•	October 2006 Prevalence Report
•	September 2006 Prevalence Report
•	August 2006 Prevalence Report
•	July 2006 Prevalence Report
•	June 2006 Prevalence Report

Exploit Prevention Labs' Threat Center publishes a monthly Exploit Prevalence Report. This reports measures the top web-borne exploits based on real-world data. The results are derived from automated reports submitted by LinkScanner users in addition to information captured from the company’s network of hunting-pots.

Exploit Prevalence Results for the Month of August 2007
The following is a summary of the top five most-reported web exploits for August 2007:

Exploit	Rank last month	Percent of Overall Occurrences	Description
TROJAN FAKE CODEC	1	28.3% (29.4% previous)	This Russian social engineering tactic tricks people into downloading a rootkit by misinforming them they are downloading a simple codec when they attempt to view a video of Paris Hilton, Britney Spears or other celebrity videos.
Modified MDAC	2	22.1% (22.6% previous)	MDAC refers to a creative method of using certain ActiveX controls in a context Microsoft did not originally intend. An ActiveX control is instantiated inside a web script that allows files to be written to disk and executed.
IE Com CreateObject code	4	12.4% (6.8% previous)	IE Com CreateObject was originally released in August 2006 as a proof of concept. The exploit creates a COM object in a mode that was never anticipated by Microsoft, and although it was intended for some useful purposes, the functions it enables are potentially dangerous in the hands of a cyber criminal such as saving files to the disk, or executing a file on the disk.
WebAttacker 2.0	3	7.9% (8.3% previous)	A new exploit package consisting of MDAC and other zero-day exploits, Thompson is calling it Webattacker 2.0, because of its eerily similar distribution method to WebAttacker.
Link to known exploit site	New	5.4%	Not an exploit per se, Link to known exploit site, merely is an attempt to link to a known exploitive site. There are several of known sites and now that XPL has added new signatures they are showing up on the survey.
Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: Q406 Roll-up package (3.8% vs 5.5%), iFramers Launcher Script (3.7% vs 2.9%), ANI (3.4%), others (13.2%)