New to this month's report is tracking of orphaned lure sites. Orphaned lures are trusted web sites that have been hacked and which contain IFRAME links that call out to exploit servers that are dead or dormant. An IFRAME is a common HTML tag, and is the primary mechanism used by cyber criminals to infect web site visitors with exploits via drive-by downloads. When a user with an unpatched system hits the site, the IFRAME command causes the user's browser to silently connect to another server, often an exploit server, that then attempts to force-download exploit code onto the user's computer.

"Although these sites are not actively serving exploits right now, we keep a close eye on them because cyber criminals frequently reactivate their exploit servers at a later date," said Roger Thompson, CTO of Exploit Prevention Labs and the survey's primary author. "The orphaned lures are also interesting because the site owners remain oblivious to the fact that they've been hacked and that they most like remain vulnerable to further hacks by the exploit distributors."

Exploit Prevalence Results for the Month of August 2006.  The following is a summary of the top five most-reported web exploits for the month of August 2006:

1.  WebAttacker (30.36%) - WebAttacker is a Russian-built software application, first introduced about 18 months ago, which currently launches four different exploits, including MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, it can be purchased online - but on underground hacker web sites - for between and 0, and requires minimal technical sophistication to use. Updated every few months, just like legitimate commercial software, only it is crimeware.  Updated in July, most likely for bug fixes.

2.  Iframers launcher script (16.81) - Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia.  This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor's web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user's computer.

3.   WMF (15.78)) with known payload - Windows Metafile exploit from December 2005.  Uses a little-known feature of Windows Metafiles to execute arbitrary code, including malware.  The exploit, a genuine zero-day attack, was allegedly purchased for ,000 from a Russian hacking group.  Seven months after Microsoft issued a patch, it's still widely used by cybercriminals.

4.  Orphaned Lures (9.78%) - Orphaned lures are trusted web sites that have been hacked and which contain  IFRAME links which call out to exploit servers that are currently dead or dormant.

5.  CreateTextRange (8.4%)- Released March 2006.  This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader - a program whose job is to download and install another program such as a rootkit or a keylogger.  Patched in April by Microsoft, this exploit appears to be in decline.

Note:  Numbers above do not add up to 100 percent, due to the following lesser reported exploits:  TriMode (7.38 percent), MDAC (6.69 percent), GromSploit (New: 4.80%).

Source:  Exploit Prevention Labs

*****

For your comments, questions and suggestions, send your email to techtvhost@yahoo.com