Web-Based Attacks Rise Sharply, HP Reports

Attacks on servers shifted dramatically from traditional protocols, such as SMB (Server Message Block) to Web-based attacks during the course of 2010, aided by a proliferation of sophisticated, inexpensive toolkits, according to a report by HP. And, while the number of newly discovered software vulnerabilities has leveled off somewhat in recent years, Web application vulnerabilities now comprise about half the total, according to the "2011 Top Cyber Security Risks Report."

A comparison of SMB and HTTP attacks showed a major change starting in March, as HTTP-based attacks moved from just over one-tenth of the total at the beginning of the year to about half. That trend held true until the fourth quarter of 2010, when HTTP was the target of about 70 percent of the attacks.

"We're seeing a huge explosion in Web application attacks," says Mike Dausin, manager of advanced security intelligence for HP DVLabs. "And the attackers are not just using one or two vulnerabilities; they're sending a barrage of malicious requests, trying every tool they have at their disposal."

The report cites an example of a successful PHP file-include attack uncovered by its labs, in which a compromised host was actually subjected to some 10 different attacks. By contrast, a typical attempt against SMB tries a single type of attack. While almost all the attacks are automated, very few of the SMB attacks appear to be aimed at a single machine. Many of the Web-based attacks, in contrast, appear to target individual hosts.

Sophisticated and relatively cheap (estimated at $2,400 on the high end), attack toolkits are a major factor in the increase in Web-based attacks. It's easy to make money, for example, using a kit to create a botnet and use it or rent it out, according to HP. They are becoming more prevalent as criminals take existing kits, add some of their own code and put the kit on the market as their own.Modern attack toolkits are often polished products. "A lot more money is being put into coding of toolkits," says Alen Puzic, security researcher at DVLabs. "They are not just a bunch of hack shell scripts, but full-fledged UI products done by real programmers. The code looks really good; it's quite mature." These toolkits are very successful, sometimes achieving an infection rate of over 15 percent; even the least effective cited, LuckySploit, infected 7.5 percent of its targets.

Content management systems (CMS) are being exploited, as well, in part because of vulnerabilities in plug-ins rather than the core applications. A study of three of the more popular CMS applications--Wordpress, Joomla and Drupal--showed a major shift, as plugins accounted for about 40 percent of the vulnerabilities discovered from 2006 to 2009 but approached 60 percent in 2010. HP believes this may be the result of more aggressive security in updating the core applications and the proliferation of less secure plug-ins.

HP also saw a he spike in its pay-for-vulnerability program, Zero Day Initiative (ZDI). In 2010, HP paid for 320 vulnerabilities, most of which can be classified as critical, of the total 750 since the program started in 2005.

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).