According to the just released Exploit Prevalence Survey for the month of September, web based exploits against the IE VML flaw are the most widely distributed exploit ever. The report is put together by Exploit Prevention Labs (XPL). They use a distributed network of computers to scan the web for sites that have malicious intent. In the interview I did this morning with Roger Thompson, the Founder of XPL, he calls it a “ hunter pot network” (as opposed to honey pot).
What is interesting about Roger’s research is that he has a lot of insight into the networks of cyber criminals that create the exploits which are now commonly deployed on the Wednesday after Microsoft’s regularly scheduled patch releases (today is one such “exploit Wednesday”). In the case of the VML exploits Roger believes that the exploit was developed by a single group and then sold to hundreds of criminal gangs with the understanding that they would not deploy until a specified date. This is an unprecedented level of cooperation exhibited by these bad guys. Roger also talks about how they used a zero day exploit against the Linux utility, cPanel, to install their VML exploits on hundreds of unsuspecting mom and pop web servers which then infected anyone browsing to those web sites.
Roger is one of the pioneers in AV and security research. Hear him in this threatcast recorded today.