"After a relatively quiet three months, the release of the IE VML exploit represents a significant escalation in the tactics used by cyber criminals to attack unpatched computer users," said Roger Thompson, CTO of Exploit Prevention Labs and the manager of the monthly Exploit Prevalence Survey. "Within a day or two of Microsoft's Patch Tuesday release on September 12, cyber criminals launched a massive coordinated zero-day attack, possibly the largest zero-day attack in recent history."
The IE VML Overflow exploit easily captured the number one position in the September Exploit Prevalence Survey, accounting for 45 percent of all attempted exploits. The number is especially significant considering the exploit was released mid-month, which indicates that real-world prevalence on a relative basis was actually higher.
According to Thompson, the IE VML zero-day exploit was released at the same time as another zero-day exploit, the second one affecting the popular Linux web hosting management software application, cPanel. Therefore, a Linux zero-day exploit was used to distribute a Windows zero-day exploit. The cPanel zero-day explains how over 300 web sites hosted by the large Florida web-hosting firm, Host Gator, were hacked to distribute the IE VML exploit. While numerous other hosting firms were affected, Host Gator was most forthcoming in disclosing the hack.
Of further interest, according to Thompson, is that unlike most previous zero-day attacks that were perpetrated by a single cyber gang, the IE VML exploit was apparently perpetrated by two, possibly even three or four separate groups, who coordinated this large-scale simultaneous zero-day attack.
"The sophisticated coordination among different cyber criminal organizations indicates that the author of the exploit probably sold the exploit to multiple organizations, and successfully orchestrated a controlled simultaneous release which caught Microsoft and most of the computer security industry completely off guard."
The actual prevalence of the IE VML exploit is likely higher than is suggested by the raw survey data, since the WebAttacker launcher script, which until September attempted to load four different exploits, added the IE VML exploit into its arsenal within days of its release. WebAttacker was the number two most prevalent exploit for the month of September, accounting for approximately 14 percent of reports.
The following is a summary of the top five most-reported web exploits for the month of September 2006:
| Exploit | Rank Last Month | Percent of Overall Occurrences | Description |
| IE VML Overflow | New | 45.33 percent | A buffer overflow exploit in the Vector Markup Language feature of the Internet Explorer browser that allows execution of arbitrary code. Security researchers believe it was released on the 13th or 14th of September, right after Patch Tuesday on the 12th. The exploit affects most versions of IE. Microsoft issued an out-of-cycle patch September 27. |
| WebAttacker | 1 | 4.38 percent | WebAttacker is a Russian-built software application, first introduced about 19 months ago, which currently launches five different exploits, including the new IE VML Overflow, the new MDAC, a Firefox exploit, CreateTextRange, and an exploit for the Java Virtual Machine. Like a commercial software application, WebAttacker can be purchased online -- but on underground hacker web sites -- for between $20 and $300, and requires minimal technical sophistication to use. The application is updated every few months, just like legitimate commercial software, only it is crimeware. A new update of WebAttacker, incorporating the IE VML |
| exploit, was released on Exploit Wednesday (the day after Patch Tuesday). | |||
| MDAC | 7 | 12.40 percent | Although technically not an exploit, MDAC refers to a creative method of using certain ActiveX controls in a context for which Microsoft did not originally intend them to be used. They instantiate an ActiveX control inside a web script that allows files to be written to the disk and executed. |
| CreateTextRange (CVE-2006-1359) | 5 | 7.79 percent | Released March 2006. This is a buffer overflow attack affecting Internet Explorer that enables the execution of arbitrary code, usually a downloader -- a program whose job is to download and install another program such as a rootkit or a keylogger. Patched in April by Microsoft, this exploit remains a credible threat. |
| Iframers (launcher script) | 2 | 6.48 percent | Propagated by a cybercrime organization sometimes called the CoolWebSearch gang, or the Russian iframers, this exploit is perpetrated by a cybercrime mob generally thought to be based in St. Petersburg, Russia. This organization is responsible for the Circuit City hack in early June 2006. Using a simple HTML tag called an iframe embedded on a hacked web site, the visitor's web browser is redirected to an exploit server operated by the gang, which attempts to deposit up to eight different exploits onto the user's computer. |
