Drive-by downloads have become the tools of ever more organised professional criminals, who typically use networks of thousands of otherwise innocuous websites to plant malicious code on users' systems, according to a new study.

Exploit Prevention Labs (EPL) has kicked off what it plans as a monthly survey, called the Exploit Prevalence Survey, charting the rising use of exploits to distribute malware across the Internet. The initial report indicates that it is easier than thought for users to unwittingly pick up malicious programs.

"Many users mistakenly believe as long as they're not visiting pornographic or illegal file sharing sites, they're safe from exploits," said Roger Thompson, EPL's chief technical officer. "Sadly, our research indicates that even trusted websites can no longer be trusted."

It has become commonplace for attackers to plant malicious code onto ordinary websites without the site owners being aware that they've been hacked, Thompson said. Criminals then use a network of hundreds of malware servers to distribute code via a large number of seemingly innocuous sites. Other sites are offered a bounty based on the number of site visitors they infect, he said.

A typical network analysed by EPL found that the organisation had a group of 200 domains, each of which was connected to an average of 500 lure sites, for a total of more than 20,000 sites.

The sites typically use known operating system or browser flaws to silently execute code on visiting systems, then hide their code using rootkits, which can be impossible to remove without re-installing the operating system - or, as one Microsoft executive put it, "nuking from orbit".

Gathering data from customer installations of its SocketShield anti-exploit software, the company found that the most frequently used exploit, with one-third of attempts, was the Windows Metafile (WMF) flaw. Russian hackers notoriously put exploit code for the flaw on sale for $5,000. "It's interesting that four months after Microsoft issued a patch, it's still the number one exploit being used by cyber criminals," EPL said.

In second place was WebAttacker, at 24.71 percent. WebAttacker is a Russian-built application that can make use of different exploits, gets a refresh every few weeks and doesn't need any skill to operate. EPL
believes such programs are the wave of the future, essentially automating the process of delivering malicious payloads to vulnerable systems.

Other popular exploits were createTextRange(), at 20.74 percent, and an IFRAME-based launcher script used by a Russian gang called CoolWebSearch, at 18.44 percent. EPL found an IE scripting exploit was also widely used, at 3 percent.