Wednesday, April 04, 2007

ANI Wed evening

Hi folks,

Well, the official patch is out, but the use of the ANI exploit continues to grow. Significant numbers of exploit servers and their lures continue to be found, mostly in China and Russia.

On a slightly different note, someone asked me recently how to measure the importance of a web-based exploit problem, and I thought it was a fair question. When you have a network worm or mass-mailing worm, it's fairly easy to guage the size of the outbreak, simply by watching your firewall logs, or by looking at what comes into your InBox.

Web-based stuff is much more subtle. They rarely come looking for you, but rely on their network of Lures to draw you in. For example, a single exploit server I looked at recently had fifty IP addresses that called directly to it. Each of those fifty (which were under the direct control of the owner of the exploit server) had about 300 domains on it. If you assume that each of those domains had just ten external links in, from open blogs, or hacked sites, that made 150,000 ways to be drawn to the exploit, with just a couple of unwary surfs. If they could create 100 first generation links in, that would be 1.5m. It mounts up quickly.

Not only that, but a frequent target of the exploiters is to hack into an unwitting small business website, like a resaurant or a mortgage broker. They're always poorly defended, but the owner is usually canny enough to try to create many links into her website. Some potential diner tries to find out what's on the menu, and gets a belly full of rootkit instead.




Post a Comment

<< Home