"The exploit underworld is characterized by manic flurries of activity accompanying new attacks, followed by periods of quiet," said Roger Thompson, Exploit Prevention Labs' chief technology officer, in an e-mail. "Consequently, following their successful [Internet Explorer] VML exploit in September, we believe [they're] now laying the groundwork for a new round of attacks."
Thompson's October exploit survey, a monthly status update of the most prevalent exploits, shows how attackers have settled into a cyclical pattern. "[It's] like a tidal surge that crashes to shore and then slowly ebbs back to sea."
In the survey's top spot was WebAttacker, a multiexploit generator that's bounced around the top of the list for half a year. WebAttacker is just one of several exploit kits sold in the attacker underground, and is frequently updated, said Thompson, to help criminals take advantage of newly discovered vulnerabilities. The most recent WebAttacker update was done in early October, when the kit added support for WebViewFolderIcon setSlice exploit.
WebAttacker accounted for 32% of all exploits detected in October, added Thompson, more than double its September tally of 14%.
Exploit Prevention Labs, a security software developer based in Atlanta, launched a new line of exploit detection tools -- LinkScanner Lite and LinkScanner Pro -- on Monday.