Study shows increase in orphaned lure sites

One vendor has reported an uptick in reports of orphaned lure sites - the trusted, but hacked, websites that may contain iFRAME links that call out to exploit servers.

Orphaned lure sites were the fourth-highest ranking web-borne exploit for August in Exploit Prevention Labs' Exploit Prevalence Survey.

Results from the survey are derived from automated reports from Exploit Prevention Labs software.

iFRAME links call out to exploit servers and then infect visitors through drive-by downloads. If a hacked site determines a web surfer has an unpatched system, the iFRAME can connect to an exploit server that downloads malicious code onto the PC.

Roger Thompson, Exploit Prevention Labs CTO, said today that the firm has been searching specifically for orphaned lure sites.

"I was very interested in the number of the orphan lure sites. I really don't know how many there are out there, there might be in the tens of thousands," he said. "If you're unpatched, you can absolutely get nailed by the various exploits."

The most prominent exploit, according to the report, was WebAttacker, which can launch four different exploits, including one for Mozilla's Firefox browser. It accounted for more than 30 percent of exploit occurrences.

Second highest was the iFRAMErs launcher script, which can redirect a browser to an exploit server. It accounted for nearly 17 percent of occurrences.

Windows Metafile (WMF) exploits ranked third, accounting for nearly 16 percent of occurrences on Exploit Prevention Labs software.

Thompson also warned users about rootkits.

"One thing that people need to be aware of that doesn't show up in our stats this month is the increase in rootkits that I'm seeing," he said. "Basically everything on (the list) that nails you installs a rootkit. I'm surprised by the variety of them."

Ken Dunham, director of IDefense's Rapid Response Team, said, "the abuse of iFRAME links has been widespread for years."

"This was the case with WMF when a malicious Windows metafile was loaded within an iFRAME window to silently install code of choice on vulnerable computers," he said. "Web-based attacks are on the rise, one of the hottest vectors of attack over the past 12 months. We expect to see similar attacks in the future, as web-based exploits continue to be abused and new exploits emerge."

Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.