Exploit Prevention Labs: Chinese hackers take over the number one slot, ANI exploit hits hard in final days of March

Dark Reading Staff, Dark Reading

April 24, 2007

2 Min Read

ATLANTA -- Exploit Prevention Labs (http://www.explabs.com), developer of the LinkScanner line of safe surfing software that protects against exploits, phishing, and other social engineering attacks, today released the

results of its March 2007 Exploit Prevalence SurveyT. Now in its eleventh month, the Exploit Prevalence Survey is the industry's only survey to use real-world data to definitively measure the most widespread web-borne exploits. Results

are derived from automated reports submitted by users of Exploit Prevention Labs' LinkScanner family of safe surfing applications, combined with data collected from all levels of the company's multi-faceted research network.

March's most notable development occurred toward the end of the month, on March 28, when a zero-day exploit that takes advantage of how Windows handles animated cursor (.ani) files was discovered. The so-called ANI exploit attacked fully

patched Windows XP SP2 machines running IE 6 or 7 and was successful enough to land the number four slot on the prevalence survey with only four days of distribution.

"The ANI exploit is a sophisticated attack," Thompson said. "We believe it first originated in China, with the relatively benign goal of stealing World of Warcraft (WoW) passwords. But within days, bad guys from around the world had picked it up and begun enhancing it for more nefarious purposes." At the end of March,

Microsoft announced they would be releasing an emergency patch in the first week of April. In other news, a modified MDAC exploit, also originating in China, secured the number one position in March with 40.38 percent of all occurrences, supporting Thompson's belief that a global shift is taking place. "We're now seeing a rapid rise in the number of active cybercriminal groups

in China looking to profit from exploits," Thompson said. "It started with January's Super Bowl attack, and now the technical sophistication of Chinese exploit code is easily on a par with code coming out of the US and Russia." March's second most common exploit was the still-widespread Q406 Roll-up package, accounting for 19.24 percent of new exploit reports. The package had dominated the survey since it debuted in December 2006. Coming in third with six percent of all occurrences was the TROJAN FAKE CODEC, a social engineering scheme devised by Russian cybergangs. "The big Russian gangs are finding new ways to trick people," Thompson said.

Exploit Prevention Labs

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights