Exploited Apps Depend On Attack Vector

During the Thanksgiving weekend, the Blackhole exploit kit got an update. A developer for the popular criminal toolkit for creating malicious programs added a new exploit for a recently patched vulnerability in the Java Runtime Environment. Within a few days, the exploit was incorporated into the Metasploit penetration-testing toolkit, as well.

The scenario has become a common occurrence: Security researchers or cybercriminals develop an attack for a just-discovered flaw and add the exploit into their point-and-click attack kits. Soon, a relatively unknown attack becomes a quickly growing threat seen by a large population. It's a trend that has repeated itself many times, says Joshua Talbot, security intelligence manager for Symantec.

"Attackers often move in trends and focus on one piece of software until the opportunities are exhausted," Talbot says.

In the past, attacker have focused on creating files that take advantage of flaws in Microsoft's Office and Adobe's PDF format. In 2005, for example, Microsoft fixed more flaws in its Office products than in its other popular-to-pwn product, Internet Explorer.

"It depends on the vector you are looking at," says Jeremiah Grossman, chief technology officer for Web security firm WhiteHat Security. "If you are attacking through e-mail, you may use one type of attack. If you are attacking a website, another."

Here are some examples of how the bad guys home in on the hot attack targets:

1. Perennial e-mail favorite: PDFs
Five years ago, cybercriminals attempted to compromise victims PCs by exploiting vulnerabilities in Word and Excel. A few years later, Adobe's PDF format became the most popular file type for cybercriminals to target.

That remains true today, according to Symantec data. In the past year, more e-mail attacks used flaws in PDF than the next nine most popular file formats, Symantec's Talbot says.

"Attacking file formats is a good technique to compromise even savvy users," he says. "If you send an e-mail with a specific context, you have a good chance of success."

Maliciously crafted document files are frequently used in lower frequency, but more significant, targeted attacks. About one in every 2 million e-mails -- or one in every 8,300 e-mail attacks -- are highly targeted, Symantec states in its latest Intelligence Report.

2. Browser bane: Java
While file-format vulnerabilities are the most common attack when an attacker attempts to compromise systems through e-mail, browser-based attacks have increasingly focused on Java.

In its latest Security Intelligence Report, Microsoft found that between one-half and one-third of all exploits it detected were attempts to exploit flaws in Java. In total, the company detected almost 27.5 million exploit attempts in 12 months.

"Many of the more commonly exploited Java vulnerabilities are several years old and have had security updates available for them for years," said Tim Rains, director of trustworthy computing for Microsoft, in a blog post. "This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment."

3. Web sites: Beware SQL injection
For attackers focused on Web sites and the databases that power dynamic Web properties, the vector of choice is SQL injection, according to WhiteHat's Grossman.

"If you are attacking Web sites, you are going to use SQL injection," he says.

Other popular attacks include PHP file include attacks and predictable resource location.

The first line of defense for users and companies is to keep software up-to-date, says Symantec's Talbot. In most cases, there is a fix for the flaw already available.

For companies that cannot patch their systems in time, adding vulnerability-specific defenses, such as sandboxing a browser or implementing a Web-application firewall, can help buy time for the defender, he says.

"If there are attacks being made in the wild, then disable that technology until the threat is past," Talbot says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.