Zero-Day Exploits Abound at Legitimate Web Sites

Updated: According to the latest research from software maker Exploit Prevention Labs, malware targeting flaws in popular software including Microsoft's Windows is being delivered by more Web sites than ever, de

Security applications vendor Exploit Prevention Labs released the findings of a new report that contends that Internet-based threats using so-called zero-day attacks continue to proliferate at a rapid pace.

In addition to appearing with greater frequency than ever before, and on a larger numbers of seemingly legitimate Web sites, researchers said that the attacks on software vulnerabilities in popular programs such as Microsoft Windows are increasingly being used for criminal purposes.

Exploit Prevention Labs said that the zero-day exploits are specifically being used by international cyber-crime rings targeting the operating system and Web browser flaws.

In the month of May, the company said that the widely publicized WMF (Windows Metafile) attack, launched in December 2005, remained the top threat zero-day threat on the Web, accounting for roughly 33 percent of all the exploits it detected.

WebAttacker, a software application that generates Web-based exploits, accounted for almost 25 percent of all reported threats, while an exploit known as CreateTextRange represented almost 21 percent, and the Iframers launcher script accounted for almost 19 percent. Of the four exploits all of the code except CreateTextRange is known to have been created in Russia.

For its part, Microsoft released a security patch for WMF in January.

Roger Thompson, chief technology officer of Exploit Prevention Labs, said that there is a growing trend among malware sources to use the power of the Internet and search engine sites to distribute their code.

Criminals are buying pre-fabricated zero-day attacks from malware writers and using any means they can find to hide the threats on legitimate Web sites and secretly offload the programs onto the machines of unsuspecting end users.

As a result, rising numbers of people with less sophisticated technical backgrounds are trying to cash in on scams aimed at stealing personal data or companies proprietary information.

"I wouldnt say that its fair to say this problem has reached epidemic proportions, compared to the size of the Web, but its growing and the people doing this are making money from adware, spyware, rootkits and even selling fake anti-spyware," said Thompson.

"When Microsoft issues a security patch it typically does a good job of blocking the threats, but there are so many people unaware of the malicious attacks on legitimate Web sites, and all the patches they need, that these criminals will continue to push as hard as they can."

The zero-day attackers are also seeking to directly enlist the help of Web site owners to distribute their code, offering cash rewards for the number of PCs they can secretly infect using the seemingly legitimate URLs.

It has become so easy to drop exploits onto many pages however, said Thompson, that most site operators wont notice when someone has added an attack to their own code.

Exploit Prevention Labs said it recently detected an exploit distribution network controlled by a single organization that was using a network of 40 Internet domains, each of which was linked to an average of 500 infected sites, for a total of roughly 20,000 Web pages forwarding the groups attacks.

A majority of the exploits arriving on the Web today are being distributed out of Russia and other Eastern European countries, according to the report, and typically attempt to install rootkit attacks onto PCs, which can be nearly impossible to remove.

And with it well-known that the code used to launch the high-profile WMF attacks was purchased for only $5,000, potential criminals can get their hands on dangerous malware tools relatively cheaply.

By the end of June, Thompson predicts that WebAttacker will replace the WMF attacks as the top exploit threat on the Internet.

/zimages/4/28571.gifClick here to read more about Microsofts struggles with zero-day attacks.

Sold out of Russia for between $100 and $200, the program offers an additional update service to help hackers get their hands on the latest exploits, just as managed security services forward anti-virus code to business customers.

"These guys are getting increasingly bold, and evil, and many have business interests in other crimes such as child pornography," said Thompson. "Theyre not hacker-level clever, at least in terms of technology, but this is their job and it is pays enough to keep them working hard at it."

One of the advantages of the lack of sophistication on the part of many cyber-criminals is that since they have bought their work from known sources or copied another individuals handiwork, security applications providers can often stop large volumes of attacks with only several different software patches.

Editors Note: This story was updated to add correct references to Exploit Prevention Labs.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.