WebAttacker Unseats WMF as Most Popular Exploit

Research indicates that use of the once-popular WMF exploit code has tailed off significantly and WebAttacker has risen to the top.

While the once highly-feared Windows Metafile software code exploit has finally lost some of its steam, another Russia-born threat, WebAttacker, became the most widely used malware attack format in June.

According to the latest survey released by software maker Exploit Prevention Labs, WebAttacker-generated exploits took off in June, accounting for 32 percent of the attacks it was notified of during the month, versus representing only 24 percent of exploits in May.

Meanwhile, examples of the WMF exploit, which first appeared at the end of calendar 2005, fell from the most prevalent threat format in May, when it accounted for 33 percent of attacks, to fourth position overall, representing 15 percent of threats tracked by the company. Both WebAttacker and WMF are known to have originated in Russia. Sandwiched between the two well-known exploits were the CreateTextRange malware code, which accounted for 19.5 percent of the attacks measured by the survey, and yet another Russian exploit, the so-called iFramers Launcher code, which represented 16 percent of attacks. A newly-discovered exploit dubbed TriMode rounded out the top five, accounting for just over 10 percent of all the threats charted in the research.

According to researchers at Exploit Prevention Labs, WebAttacker has quickly grown in popularity because it demands "minimal technical sophistication" to be manipulated and used by hackers. Sold for as little as $20 at some hacker Web sites, and as much as $300 at others, the malware code is currently being delivered in at least four exploits, including threats aimed at MDAC (Microsofts Data Access Components) software, Mozillas Firefox Web browser and Suns Java virtual machine programs.

Much like legitimate software providers, the creators of WebAttacker are also offering updates to their work every few months to help keep their customers ahead of IT security experts. On the flip side, WMF became so widely-known that most companies have finally applied patches that block related attacks, said Roger Thompson, chief technology officer at Atlanta-based Exploit Prevention Labs.

"Its interesting to see that the people behind WebAttacker are more of a thinking adversary, versus earlier groups who used the brute force approach. Theyre trying to figure out ways to be productive and make money," said Thompson. "Of all the exploits out there, only one of the original WebAttacker attempts is still being used, and its only been out there for 18 months; Id say thats a reflection of how easily new WebAttacker threats can be created."

Thompson is predicting that recently reported vulnerabilities in Microsofts Excel, Word and PowerPoint applications will likely become the next targets for new iterations of WebAttacker, along with growing attacks on MDAC. The researcher said that his group has uncovered four different MDAC script sets over the last month, indicating an upswing in future use of the attacks.

Critical Excel update highlights Microsofts July patches. Click here to read more. Exploit Prevention Labs reported that the overall volume of exploits remained relatively flat in June, compared to May, and attributed a lack of growth in the figure to the relative dearth of newly reported vulnerabilities in major software programs. Emergence of the new Microsoft flaws could create a new spike in activity, however, according to Thompson. The proliferation of malicious Web sites that attempt to secretly pass off malware code on users could contribute to new outbreaks, he said.

The company indicated that it is also expecting some fallout based on the much-publicized plan of virus researcher H.D. Moore to unveil a new browser attack once a day, every day, during the month of July. While most of the attacks will be set to merely crash users browsers, criminals could adapt the code for more devious purposes.

Thompson said that Russia will continue to serve as a hotbed for new exploit activity based on the inability of local law enforcers to crack down on the malware writers. Russian attackers are also stipulating that individuals buying their code promise not to launch attacks on companies or other users in the country for fear of drawing increased scrutiny.

"Its debatable just how much the government there is doing to try and stop these guys, and as long as they stay out of Russian companies there probably wont be a lot of motivation to do so," Thompson said. "As long as this current situation is allowed to continue, I think its safe to say that Russia will remain a big part of the attacks."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.