Security experts have warned for months that online outlaws have found greater success and profit in attacks that
pummel Web application flaws.
From early January through late June, the Palo Alto, Calif.-based security vendor collected data from corporate IT environments that use its Fortify Application Defense product, which secures J2EE-based applications. The resulting report outlines four trends:
Bots wage war on Web apps
On average, 50% to 70% of attacks against Web applications over a six-month period were launched by bots and bot networks searching for known vulnerabilities.
"These automated probes seek out unprotected or unpatched components in applications and deliver their malicious code" successfully, the report said. "The effect is much like a storm raging over a landscape: the probes are sprayed throughout the Internet and ceaselessly (and somewhat randomly) hit Web applications."
Over a single week, for example, Fortify monitored applications that were pummeled by seven distinct attacks from separate IP addresses that resulted in 52 attempts to access .php files. "Given the attacks' frequency and content, they most likely originated from machines infected by worms that periodically launched these automated attacks," the report said.
Brian Chess, Fortify's chief scientist, said he was most surprised to see how much useless data these bots generate in order to mask their attacks.
"If you're the IT administrator, the bot is generating a lot of data that masks its more interesting activities," he said. "After a while of seeing all this noise, you tend to get bored and walk away, and you may not detect the real damage."
Bad guys use Google, too
More than 20% of all security events in the Fortify monitoring pool were the result of hackers accessing Web site vulnerability information stored on search sites like Google, the report said, since search engines collect a wealth of information about every Web site they index. "If a Web site inadvertently reveals sensitive information or advertises the presence of a vulnerability, then Google's index of the site will contain evidence of the flaw," the report said.
For example, if a page is broken, a Web application may report diagnostic information like a stack trace. Cyberthieves can use that to map out the components and internal structure of a vulnerable application and then pounce on the target.
"The biggest surprise to people using our product was the number of errors on their Web sites and how much of it is being revealed on Google and other search sites," Chess said. "When Google indexes all this information, the attackers can find you from Google just as the good guys can find you from Google."
Attacks more sophisticated, widespread
Application-specific attacks appear less frequent, but Fortify found they are much more sophisticated and even more dangerous to the Web applications that are assaulted. The most common techniques in directed attacks appear to be cross-site scripting, SQL injection and buffer overflows.
Fortify's research also showed attacks originating from the United States, China, Poland, Australia and many other countries. "The use of anonymizing technologies and proxy servers continues to mask the true locations of Web application attack sources, reflecting their 'invisible' nature," the report said.
There are a variety of techniques the bad guys use to cover their tracks, like hiding behind a proxy server or a chain of proxy servers, the report said.
"Various anonymizing technologies have been developed … to make it difficult to determine the origin of an Internet connection," the report said. "In the best cases, they prevent repressive governments from punishing political opponents. In the worst cases, these technologies can be used by malicious hackers to attack other computers with little chance of being physically captured."
Chess said a vast majority of Web app attacks seem to be coming from the United States. But, he added, "We really have no idea where the attackers are actually sitting."
This article originally appeared on SearchSecurity.com.