Crusty bait makes for great phishing
The six-year-old vulnerability first burnt by Stuxnet remains the internet’s chief pwning vector and is a key instrument of the world’s worst exploit kit known as Angler.
The vulnerability is a hole in Windows Shell that is both long since patched and well publicised as part of its discovery in the US’ Stuxnet worm, the killer malware that laid waste to the Natanz uranium enrichment plant.
Many malware families exploit the vulnerability but users would be most likely to encounter it when faced with the Angler exploit kit which has maintained its dominance in the crimeware market since the demise of Black Hole in 2013.
Microsoft made the finding in its 190 page Security Intelligence Report [PDF] which probed the state of security comparing the six months from June last year to the start of 2015.
“CVE-2010-2568 [is] the most commonly targeted individual vulnerability in 1H15 (the first quarter of last year),” Microsoft security wonks say.
“Detections are often identified as variants in the Win32/CplLnk family, although several other malware families attempt to exploit the vulnerability as well.
“An attacker exploits CVE-2010-2568 by creating a malformed shortcut file—typically distributed through social engineering or other methods—that forces a vulnerable computer to load a malicious file when the shortcut icon is displayed in Windows Explorer.”
It affects only Windows versions older than Windows 8 that have not applied the August 2010 patch.
The report and Microsoft’s 1018-page opus the Regional Threat Assessment [PDF] house scores of other security findings including vulnerability, password, and threat analysis.
It finds the deployment of exploit kits shot up by a third making it the most prolific means of using exploits.
Angler took top spot as the most virulent of exploit kits followed by Sweet Orange, for which encounter levels were nearly negligible.
The Magnitude exploit kit is not mentioned but has been gaining a large amount of traction according to other security researchers.
This year it has been tearing through advertising networks and plundering visitors to the world’s biggest web sites as part of highly-effective malvertising campaigns.
“Encounters involving the RIG exploit kit (aka Redkit, Infinity, and Goon) more than doubled between 3Q15 and 4Q15, but remained far below those involving Angler,” Microsoft says.
“Encounters involving the Nuclear kit increased between the third and fourth quarters, but remained below their 2Q15 levels.”
Angler targets wrecked runtimes and the odd zero-day hole in the likes of Microsoft Silverlight, Adobe Flash, and Oracle’s Java horror box, along with the Internet Explorer browser.
Researchers from firms including Microsoft and Cisco, along with independents like Kafeine and Xylitol make sport of publicising Angler’s zero day exploits which reduces the time-to-pwn window available to black hats.
The report also finds Microsoft clocks some 10 million fraudulent password logins a day of a total of 13 billion legitimate logins.
On the vulnerability front, Redmond says high and medium -severity holes represented about 40 percent and 50 percent of all holes disclosed in the latter six months of last year compared to earlier months, the number of the former surging by 41.7 percent over the period.
Third party Windows software was unsurprisingly more likely to be hacked than core Microsoft gear, it found. ®
Rise of the machines