Image courtesy Fortinet.

Researchers at Fortinet said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.

Trusteer published a lengthy blog post today that mentions an attack by this threat “that was used in conjunction with Zeus 2.1.0.10. The user was first infected with Zeus on their PC and then Zeus showed the message requesting the user to download the Android malware component.” In a phone interview, Trusteer CEO Mickey Boodaei said crooks used the Trojan in live attacks against several online banking users during the first week of June, but that the infrastructure that supported the attacks was taken offline about a month ago.

Boodaei offers a bold and grim forecast for the development of mobile malware, predicting that within 12 to 24 months more than 1 in 20 (5.6%) of Android phones and iPads/iPhones could become infected by mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits.

The last bit about exploit kits is key, because almost all mobile malware developed so far uses some type of social engineering to install itself on a device. Boodaei predicts a future time when crooks begin incorporating mobile phone vulnerabilities into automated exploit kits like BlackHole and Eleonore, which use security flaws to install malicious software when the user visits a booby-trapped site with a vulnerable device.

Trusteer’s prediction is timely: jailbreakme.com, which allows users to jailbreak their iPads or iPhones by browsing to the site, leverages an unpatched, critical vulnerability in Apple iPhones and iPads. Experts are warning that such exploits could also be used to download and install malware. Meanwhile, the folks that devised the exploit used by jailbreakme.com have issued a program that lets jailbreakers patch the flaw — meaning that until Apple issues an official fix for the bug, people who have jailbroken their iPhones or iPads are potentially more secure than regular users.

Kevin Mahaffey, co-founder and CTO of Lookout Mobile Security, called the Zitmo variant a notable development, but said it is somewhat unsophisticated. Mahaffey said that a more disturbing class of malware is emerging for Android that convinces users to install the application by disguising itself as an in-app advertisement . Dubbed “GGTracker,” this Android Trojan is automatically downloaded to a user’s phone after he or she visits a malicious Web page that imitates the Android Market. According to Lookout, the Trojan is able to sign up victims for a number of premium SMS subscription services without the user’s consent.

GGTracker is a reminder that mobile users need to be just as vigilant about mobile phone threats as they are with a personal computer. That doesn’t mean mobile users need to install antivirus software; common sense and some basic street smarts will suffice. For example, Trojans like GGTracker can be avoided by paying attention to the URL in a browser’s address bar — something users should already be trained to do to avoid phishing scams. The first two rules from Krebs’s Three Basic Rules for Online Safety also apply to the mobile world: If you didn’t go looking for it (in this case Zitmo), don’t install it; if you installed it, update it (let’s hope that Apple will quickly issue a patch for its vulnerability).

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Fans of the movie series “Alien” will recognize the name Weyland-Yutani as the fictional corporation that was sent ahead to establish habitable bases and dwellings on extrasolar planets in advance of the arrival of new human colonies. If this crimekit takes hold, or is an indicator of a broader interest in attacking Mac users, we could soon witness cyber crooks starting to colonize the Mac user community as well. The author of this Mac crimekit said he knows of several other independent coders who are working on Mac malcode projects that aren’t quite ready for prime-time, although he declined to elaborate on that claim.

Each time this subject comes up, I am struck by how fervently the Mac community denies that Mac users might ever have to deal with anywhere near the level of malware that currently besieges the Windows world. The Mac, these apologists explain, is far more secure than Windows, and that is why we have not seen malware writers attack the platform with the same vigor and interest. As one commenter on this blog reasoned, OS X simply doesn’t allow programs to be installed without user permission. My response is, assuming for the moment that the above statement about the Mac’s superior security is true, the operating system does nothing to stop the user from being tricked or cajoled into installing malware. What’s more, social engineering attacks are one of the primary ways that Windows users get infected today, so why would it be any different for Mac users?

Consider the scourge of rogue anti-virus attacks: Each day, thousands of Windows users are tricked into running and installing a bogus security “scanner” foisted on them by some hacked Web site. The attackers’ goal with these “scareware” muggings is to not only trick the user into installing malicious software, but also paying for it with their credit cards!

Image courtesy Intego.com

Earlier today, MacRumors.com carried a story about a new threat discovered by Mac security software vendor Intego that uses social engineering in a bid to install scareware known as “MACDefender.”

The nice thing about social engineering attacks is that defending against them doesn’t require buying or installing some type of security software. As I noted in a column last week, it merely requires the user to accept the notion that “security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.”

Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

Secunia "fact sheet" on Adobe Reader security flaws.

“In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).

Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”

Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month — today — is Patch Tuesday).

Since that advisory, the IE exploit has been bundled into the Eleonore Exploit pack, a powerful and widely-used commercial crimeware kit that makes it trivial for attackers to turn legitimate Web sites into platforms for installing malware when visitors browse the sites with vulnerable PCs.

If you have Office Installed, take a moment to visit Microsoft Update to patch things up. If you use IE, either upgrade to IE8 — which provides additional protections against this zero-day attack — or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.

A summary of today’s bulletins is available here.

Update, 7:03 p.m. ET: Added information at the end of this post on the Microsoft FixIt Tool.

In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

Looking back at the chart above, you can see that this exploitation has been happening for some time.  So, why has no one been talking about Java-based exploits?  (Well, almost no one.  Brian Krebs broke the ice this week).

I have a theory about why almost no one has noticed.  IDS/IPS vendors, who are typically the folks that speak out first about new types of exploitation, have challenges with parsing Java code.  Documents, multimedia, JavaScript – getting protection for these issues is challenging to get right.  Now, think about incorporating a Java interpreter into an IPS engine?  The performance impact on a network IPS could be crippling.  So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light.  Call it Java-blindness.

So, if the antimalware people can see it, why aren’t *they* talking about it?  Because, looking at the numbers, Java exploits (and most exploits for that matter) are very low-volume in comparison to the volume of common malware families like Zbot (a family for which we added detection in MSRT just this week).  What we have to remember is that, with exploits, it’s not about volume – they happen in a flash and you have to catch them in the act (with a real-time protection product such as Microsoft Security Essentials) before they open the door to lots of malware.  So, even small numbers, especially when they’re against unpatched vulnerabilities, matter a lot.

If you haven’t done so lately, take a moment to see if you have this program installed, and if you do, please make sure it is up to date. Just last week, Oracle issued another update — Java 6 Update 22 — that fixes at least 29 security flaws in the program.

KrebsonSecurity.com  will continue to post the newest security updates, when they become available. But, your computer installation of Java also includes a built-in updater that you should configure to check for updates as frequently as possible.

Allow me to reiterate my urgent advice from last week:

Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java’s updater often fails to detect when a new version is available. Alternatively, programs like FileHippo’s Update Checker and Secunia’s Personal Software Inspector can help users stay up to date on the latest security patches.

Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.

Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.

This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).

For those who have not been following along, I also found Java flaws to be the leading exploit vectors for both the Crimepack and Eleonore exploit packs.

I believe that there are two reasons for this pattern: First, Java’s maker, Sun — now part of Oracle Corp. — for too long considered itself an enterprise software company, and chose to ignore that its software also is installed on something like 85 percent of the desktop computers on the planet (and 75 percent of Krebsonsecurity.com readers, according to Google Analytics). Also, it seems that many consumers simply aren’t aware that they have this software installed, or that it needs fairly frequent updating.

Adobe has taken some lumps over the past year for the number of critical vulnerabilities that hackers have found and exploited in its software. But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits.

If you don’t use Java, consider removing it. You can always reinstall it later if you find you need it. If you do use Java, then please keep it up to date. Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java’s updater often fails to detect when a new version is available. Alternatively, programs like FileHippo’s Update Checker and Secunia’s Personal Software Inspector can help users stay up to date on the latest security patches.

Update, Oct. 12, 6:19 p.m. ET: Oracle just released an update — Java 6 Update 22 — that fixes 29 security flaws in the most recent version of Java.

A screen shot of the Pirate Bay admin panel showing newly registered users.

An Argentinian hacker named Ch Russo said he and two of his associates discovered multiple SQL injection vulnerabilities that let them into the user database for the site. Armed with this access, the hackers had the ability to create, delete, modify or view all user information, including the number and name of file trackers or torrents uploaded by users.

Russo maintains that at no time did he or his associates alter or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies employed by entertainment industry lobbying groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), each of which has assiduously sought to sink The Pirate Bay on grounds that the network facilitates copyright infringement.

That effort has largely failed, but both industries have been busy suing individual music and movie downloaders for alleged copyright violations, often obtaining substantial monetary damages when defendants settled the charges out of court. In almost every case, the entertainment industry learned the identities of file-sharing users by subpoenaing subscriber information from Internet service providers based on the user’s Internet address.

“Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told KrebsOnSecurity.com in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”

Russo showed this reporter what appeared to be the user names and MD5 hashed passwords of the top administrators and moderators for the site. Russo volunteered to send me the e-mail address and hash of the password that I used to register on the site  in exchange for my Pirate Bay user name. A follow-up communication showed that he did in fact have access to that information.

A screen shot of the admin page for thepiratebay.org

On Monday, I left a message requesting comment in the contact portion of thepiratebay.org, but haven’t yet received a response. I will update this post if that changes. I also sought comment from a Pirate Bay representative at the organization’s official IRC channel, but was unceremoniously kicked and banned from the channel after pasting the user names and hashed passwords of the site administrators and moderators.

Russo said The Pirate Bay administrators appear to have removed the Web site component that facilitated access to thepiratebay.org user database, although he added that he’s had no direct contact with the site administrators about his findings.

Russo, who turned 23 this week, is the creator of a subscription-based software vulnerability exploit service called Impassioned Framework. The young hacker said he is hoping to market it as a security auditing tool, although it appears to be fundamentally an exploit kit in the same vein as Eleonore and other exploit packs, toolkits designed to be stitched into a Web site and probe visitor PCs for security holes that can be used to surreptitiously install malicious software.

Administrative page from a live Crimepack exploit kit.

Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.

Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.

“It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.

Oudot says he is reluctant to release more information about the vulnerabilities until next month, when he is slated to discuss the findings at another Syscan conference in China. But in an interview with KrebsOnSecurity, Oudot said that in the days since his advisory was published, a number of folks in the security community have come out against the idea of sharing the exploit pack vulnerability information more broadly.

For one thing, detractors argue, telling the world about these flaws will, in all likelihood, prompt the creators of these vulnerable tools to ship updates that fix the security weaknesses. The latest version of Eleonore, for example — version 1.4.1 — is among several updates shipped for Eleonore during the past year alone. Critics also say while the vulnerability disclosure could give law enforcement officials and “white hat” hackers new tools to infiltrate and disrupt cyber crime operations, that information is just as likely to be exploited by novice hackers with far less noble intentions.

For his part, Oudot isn’t swayed by either argument.

“We will see if the defenders will be able to find vulnerabilities again,” Oudot said, of the likelihood that the exploit pack makers would patch the holes. “We can all decide to fight back, or to be victims. It’s like in some countries, there are many terrorists but nobody attacks them. It’s a choice of future.”

Oudot said his team has received several e-mails from legal and security experts questioning whether they might be violating any laws by disclosing the information.

“Also, we got some IT security friends who told us that it could be interesting to keep it a little bit secret for a short period of time, so that the blackhats who build such tools would not be able to react properly in a short future,” Oudot wrote. “Our goal was to initiate real discussions in the world about cyber security and how to handle cyber threats. Our main purpose was to offer a new vision, a new future action field. Now, the companies, the lawyers, the international organizations, etc., will have to make choices.”

Not only do most users have some version of Java on their systems, most Windows users likely have multiple copies of this program on their PCs, because older installers failed to remove previous, insecure versions of the software.

Worse still, Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

Readers of the blog are no doubt familiar with my previous stories on the Eleonore Exploit Pack, a commercial software package sold by and to criminals that is used to booby trap Web sites with exploits for the most common Web browser vulnerabilities. Check out past posts on Eleonore, and it’s clear Java flaws are a key target of this increasingly common exploit pack.

Below are a few screen shots taken from the administration page of yet another working Eleonore Exploit Pack: The first image shows the exploits used by this pack, along with the number of times each exploit  (“sploit”) was successful in delivering malicious software payloads (or “loads”) to the visitor. As we can see, the “java2e” and “javae0″ are by far the most successful of the exploits.

The exploits from this pack were stitched into a number of hacked or maliciously crafted porn sites, shown below. But just because you don’t surf porn doesn’t mean these exploit packs can’t touch you: Many are stitched into more mainstream sites, such as those belonging to online stores and blogs. I hope it goes without saying that readers should assume all of these sites below are still hostile and that you should *not* visit them unless you *really* know what you are doing:

It’s probably worth noting the overall browser stats for this particular exploit panel: A little more than 11 percent of those who visited these…err…booby trapped Web sites were successfully hit with an exploit. At least with this group of exploit sites, nearly all of the visitors and victims appear to have visited with some version of Internet Explorer. I should note these stats should be taken with a grain of salt, because it seems Eleonore’s visitor numbers always contain statistical oddities that make them suspect at best. For example, according to these numbers, only 30 out  more than 20,000 visitors (slightly more than one out of every thousand) visited the sites with some version of Chrome, Firefox or Opera.

Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

Nearly one-third of all successful attacks from this Eleonore kit leveraged flaws in older versions of Adobe’s PDF Reader. People often scoff when I recommend an alternative to Adobe for displaying PDFs, saying that criminals can just as easily target security vulnerabilities in those applications, which ship far fewer security updates than Adobe. That may be true, but I haven’t seen much evidence that hackers are going after flaws in non-Adobe PDF readers at any appreciable or comparable level. Incidentally, if you use the free PDF reader from Foxit, an Adobe alternative I’ve often recommended, you should know that Foxit recently shipped a new version — v. 3.31 — that includes security improvements.

I also found this time around similar percentages of exploit victims among those surfing with different versions of Internet Explorer. With this Eleonore kit, more than one-third of those who visited the exploit site with IE6 were loaded with malicious software. The Eleonore admin panel reported that more than 12 percent of IE7 users and 20 percent of IE8 surfers visited and subsequently were infected with malware. The prevalence of IE users among the victims may be due in part to the fact that half of the exploits used by this particular kit target IE security holes.

Annoyingly, this Eleonore admin page doesn’t resolve one of the open questions I heard most frequently after my last story on Eleonore: Where are all the Firefox victims? I still don’t have a decent answer to that puzzle, but I do have a couple of guesses. For one thing, unlike the last Eleonore kit I examined, this one does not include an exploit specifically for Firefox. It’s also possible that these kits are detecting Firefox visitors as users of some other browser (the report indicates, for example, that 15 percent of Google Chrome users browsing with version 4.1 were successfully attacked). Whatever the reason, it seems highly unlikely that all of the nearly 5,600 Firefox users who visited the exploit sites detailed here escaped unscathed.

Anyway, below are the stats, which start with those of Chrome and Firefox visitors:

…more Firefox stats and then IE, Opera and Safari…