The figures behind the headache

The vulnerability in the Windows Help and Support Center has been a constant irritation to antivirus experts for the third week in succession. I will try to provide an analysis of the problem with the help of KSN.

We first detected samples of the exploit on 10 June and at the time of writing, over 14,000 attacks using CVE-2010-1885 have been registered.

The graph above shows the number of detections per day.

However, the most important feature is the figure indicating the exploit’s distribution on the Internet. According to KSN, on 2 July, 2010 the total number of websites hosting the exploit averaged 300.

Below are a couple of Top 10s for two variants of the exploit:

In the first Top 10 the two obvious leaders are malicious sites which spread malware using a Pay-per-Install scheme. They include so-called exploit packs that attack users via several vulnerabilities at a time. There are also a few legitimate IT security sites in the list that published examples of the exploit.

In the second list the situation is more straightforward. All of the sites listed, and there are around 200 in total, also participate in illegal partner, or affiliate, programs.

The majority of sites currently spreading malware with the help of the HCP exploit can be traced back to Russia and that is why Russia is the worst affected by this vulnerability and leads in terms of the number of users attacked.

Users in the USA, Portugal and Germany have also been targeted more than in other countries.

P.S. Microsoft has not announced any plans to release a patch for this vulnerability ahead of schedule, which means another couple of uneasy weeks on the Internet for users of Windows XP and Windows Server 2003.

The figures behind the headache

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox