Attacks on servers shifted dramatically from traditional protocols, such as SMB (Server Message Block) to Web-based attacks during the course of 2010, aided by a proliferation of sophisticated, inexpensive toolkits, according to a report by HP. And, while the number of newly discovered software vulnerabilities has leveled off somewhat in recent years, Web application vulnerabilities now comprise about half the total, according to the "2011 Top Cyber Security Risks Report."
A comparison of SMB and HTTP attacks showed a major change starting in March, as HTTP-based attacks moved from just over one-tenth of the total at the beginning of the year to about half. That trend held true until the fourth quarter of 2010, when HTTP was the target of about 70 percent of the attacks.
"We're seeing a huge explosion in Web application attacks," says Mike Dausin, manager of advanced security intelligence for HP DVLabs. "And the attackers are not just using one or two vulnerabilities; they're sending a barrage of malicious requests, trying every tool they have at their disposal."
The report cites an example of a successful PHP file-include attack uncovered by its labs, in which a compromised host was actually subjected to some 10 different attacks. By contrast, a typical attempt against SMB tries a single type of attack. While almost all the attacks are automated, very few of the SMB attacks appear to be aimed at a single machine. Many of the Web-based attacks, in contrast, appear to target individual hosts.
Sophisticated and relatively cheap (estimated at $2,400 on the high end), attack toolkits are a major factor in the increase in Web-based attacks. It's easy to make money, for example, using a kit to create a botnet and use it or rent it out, according to HP. They are becoming more prevalent as criminals take existing kits, add some of their own code and put the kit on the market as their own.