Research

The figures behind the headache

The vulnerability in the Windows Help and Support Center has been a constant irritation to antivirus experts for the third week in succession. I will try to provide an analysis of the problem with the help of KSN.

We first detected samples of the exploit on 10 June and at the time of writing, over 14,000 attacks using CVE-2010-1885 have been registered.

The graph above shows the number of detections per day.

However, the most important feature is the figure indicating the exploit’s distribution on the Internet. According to KSN, on 2 July, 2010 the total number of websites hosting the exploit averaged 300.

Below are a couple of Top 10s for two variants of the exploit:

In the first Top 10 the two obvious leaders are malicious sites which spread malware using a Pay-per-Install scheme. They include so-called exploit packs that attack users via several vulnerabilities at a time. There are also a few legitimate IT security sites in the list that published examples of the exploit.

In the second list the situation is more straightforward. All of the sites listed, and there are around 200 in total, also participate in illegal partner, or affiliate, programs.

The majority of sites currently spreading malware with the help of the HCP exploit can be traced back to Russia and that is why Russia is the worst affected by this vulnerability and leads in terms of the number of users attacked.

Users in the USA, Portugal and Germany have also been targeted more than in other countries.

P.S. Microsoft has not announced any plans to release a patch for this vulnerability ahead of schedule, which means another couple of uneasy weeks on the Internet for users of Windows XP and Windows Server 2003.

The figures behind the headache

Your email address will not be published.

 

Reports

The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox