Exploit Prevention Labs' March Exploit Survey

Somebody please raise your hand if you know why people turn loose viruses - in addition to the fact that they’re destructive fools. Exploit Prevention Labs, developer of the LinkScanner line of safe surfing software intended to protect against exploits, phishing, and other social engineering attacks, today released the results of its March 2007 Exploit Prevalence Survey. Results are derived from automated reports submitted by users of Exploit Prevention Labs’ LinkScanner family of safe surfing applications, combined with data collected from all levels of the company’s research network.

March’s most notable development occurred toward the end of the month, on March 28, when a zero-day exploit that takes advantage of how Windows handles animated cursor (.ani) files was discovered. The so-called ANI exploit attacked fully patched Windows XP SP2 machines running IE 6 or 7 and was successful enough to land the number four slot on the prevalence survey with only four days of distribution.

A modified MDAC exploit, also originating in China, secured the number one position in March with 40.38% of all occurrences. March’s second most common exploit was the still-widespread Q406 Roll-up package, accounting for 19.24% of new exploit reports. The package had dominated the survey since it debuted in December 2006. Coming in third with 6% of all occurrences was the TROJAN FAKE CODEC, a social engineering scheme.

Rounding out the top five, after a two month hiatus from the list, is the old Windows Metafile (WMF) exploit, first released back in December of 2005. Even though the exploit was patched over a year ago, newer variants continue to find victims.