By now, most companies recognize that network security is an important aspect of daily operations, but few realize how quickly new methods of Internet attacks are being invented. While organizations rush to develop their security policies and implement even a basic security foundation, the professional hacker continues to find new ways to attack by modifying old Internet worms, Trojans, and viruses, or creating completely new ones. Recently, the attention of these hackers has reverted to Internet attacks targeted at the application layer, which can include either shrink-wrapped or custom applications. This layer is commonly the least protected layer of an organization's network. Industry experts estimate that three-fourths of the successful attacks targeting corporate networks are perpetrated via the application layer. Considering the nature of Web applications that allow access to internal and external audiences, these Internet attacks can pose a serious threat to an organization's back-end data without the organization's knowledge.
Web applications by nature are not static. Content is continually being altered on a very frequent basis in order to keep up with the demand of new features and functionality. Even the simplest of changes could produce a vulnerability that may pose a major threat to corporate assets and confidential information, such as customers' identities, if and when a Web application attack is launched. The list of Internet attacks used today to target Web applications is growing. From Internet worms to SQL injection to Google hacking, organizations are learning the hard way about the ramifications from Internet attacks at the Web application layer. This new generation of Internet attacks has only begun, and organizations are already behind in protecting their most precious assets.
Traditionally, many people viewed application-level exploits as one of the more difficult Internet attacks to execute. This was true a couple of years ago, but with the advent of using the power of search engines for malicious attacks, hackers can now identify and exploit applications that are vulnerable to Internet attacks with extreme ease. Now, your company no longer needs to be a focused target of hackers to fall victim to Internet attacks - exploitation is as easy as turning up in a search result.
The History of Internet Worms
Internet worms are one form of attack that is becoming popular at the Web application layer. These worms have traditionally been widely successful at the network layer of an organization's infrastructure, perpetrating attacks on both personal and corporate networks. Internet worms that focus on the network layer take advantage of existing network vulnerabilities, such as buffer overflows and unpatched systems. The network worm infects a vulnerable system, then uses that system to identify other vulnerable targets to infect and propagate itself from one server to another. Traditional forms of Internet security, such as intrusion detection and protection systems (IDS and IPS), have progressed to help in discovering these types of attacks before any damage is incurred. Web application worms, however, are targeting the layer of most organizations that is the least prepared for Internet attacks because those layers are not protected by traditional forms of Internet security. These nasty forms of Internet attacks utilize known exploits, apply worm methodology, and then leverage the power of search engines to find vulnerable Web applications to accelerate the effectiveness of their attacks.
Worm Methodologies and Challenges
One of the keys to successful attacks is the ability to identify the next victims. Many Internet worms apply different tactics in order to do this type of search and seizure. Traditionally, these tactics have included randomly picking IP addresses or picking up an IP range of a victim and incrementally scanning that range. Some worms even take advantage of the data on the server. They grab e-mail or HTML documents on the infected host and scan through these in order to find more potential targets to infect. The ability to find the next target is an art, and the methods Internet worms use to do so are amazingly clever.
Those who use Internet worms have been facing some key challenges since the first one emerged on the scene, mainly with finding efficient and effective methods of exploiting an exponential number of hosts. In order for a worm's Internet attacks to be successful, the worm must spread to as many different hosts as quickly as possible. If Internet worms spin their wheels, re-infecting hosts that have already been infected, they don't progress towards their ultimate goal of widespread infection.
One of the other barriers to creating successful long-lasting Internet worms is how long a vulnerability will remain exploitable. Most Internet worms take advantage of some known exploit, usually a buffer overflow. This technique limits a worm's capability to initiate full-scale attacks due to the ease at which the hole can be patched. So, in essence, the success of Internet worms becomes their own demise as the more machines it infects, the more popular its Internet attacks become, and the faster people patch the hole or vulnerability to avoid exploitation.
A good worm creator will realize that security companies will eventually identify some method of stopping the propagation of his or her Internet worms by using signature or network-based anomaly detection. Therefore, worm creators are constantly researching and finding more successful and more destructive methods for their Internet attacks. This is where the battle between the worm creator and the security companies becomes interesting.
Internet Worms Evolve
By taking a look at how Web application worms work, it is apparent that these Internet attacks have similar problems with widespread success as seen with traditional network worms, but to a lesser extent. For instance, the ability to identify targets for attacks becomes a much easier game. No longer do Internet worms have to guess at which targets to hit. Search engines create this list for them and even narrow it down to the most vulnerable targets. The most dangerous part of Web application worms' Internet attacks is that most of the application-level issues they aim to exploit are development errors within the application code and are not simply corrected by installing a patch. Take, for example, the common Web application vulnerability, SQL injection. SQL injection is a technique for exploiting Web applications that uses client-supplied data in SQL queries without stripping out potentially harmful characters first. SQL injection requires a developer to cull through its entire application code base in order to manually fix each piece of code that is vulnerable to Internet attacks. Depending on the size of your application, this could take months, years or may not even be feasible to appropriately correct in order to be secure from attacks. So, the issue is no longer the patch roadblock, but a coding issue at the beginning of an application's development. This characteristic can make a Web application worm very deadly.
For an example of how Internet worms targeting the application layer work, let's examine the profile of a typical Web application worm that takes advantage of a SQL injection vulnerability. The first step of all Internet attacks is to infect your starting host. This is accomplished by identifying where the host is vulnerable to SQL injection. The second step is to upload your worm payload, which may be done either via unprotected command execution API's or via your own stored procedure. Once your payload is running, it will use the infected host to make requests to multiple search engines and identify more victims that are vulnerable to SQL injection Internet attacks. It will then upload itself to those victims, and the process starts over for the Internet worm. What will this accomplish? It all depends on the creator of the Internet worm – it could be malicious and drop the entire database, causing a huge amount of chaos, or it could do something more drastic like dumping the entire database to your index page on the Web site or push it onto the gnutella network.
As the Internet community is learning, Web application worms are not solely theoretical. In fact, the Santy worm and its variants emerged around the beginning of 2005. These Internet worms used the popular search engine Google to find Web sites running phpBB and then used a known exploit in the Web application to propagate. Luckily, the worms' Internet attacks, which were the first of their kind, did not cause too much damage because they had some fundamental problems. 1. The worms had a re-infection issue. Since these Internet worms used Google to find vulnerable hosts, they used the same search query for each victim, which always returned the same search results so they could never really propagate to many hosts. 2. There were dependent on Google for their victim lists and used a very static query to retrieve the search result. Google was notified and thus corrected the issue so the search query that was used for these attacks was then denied. Still, even with these obvious defects in the nature of the worm, the Santy Internet worms infected over 10,000 Web sites, defacing each of them.
Tackling the Potential Infestation of Web Application Worms
The solution to attacks via Web application worms and Internet worms in general is to fix the problem that the worm uses to propagate. Application firewalls and assessment tools can be a good start to preventing these kinds of Internet attacks, but the real solution is to get the individuals who create software to consider security as a fundamental building block in developing software. Developers who design and build business-enabling applications generally are not security experts and, therefore, do not know how to avoid creating defects that are so easily exploited by hacker attacks like Internet worms. These applications tend to be pushed into production with little or no security testing. Just as with the network layer, companies must now view the application-layer as a potentially open portal to corporate assets and therefore need to implement the necessary security procedures across the application lifecycle to ensure that critical assets are secure from such new attacks as application worms. With more than one million new Web applications being launched each month and successful Internet worms and other hacker attacks in the news each week; application security should no longer be an afterthought for any organization looking to remain viable.
About the Author
Caleb Sima is the co-founder of SPI Dynamics, a web application security products company. He currently holds dual roles as CTO and director of SPI Labs, SPI Dynamics' R&D security team. Prior to co-founding SPI Dynamics, Caleb worked for the elite X-Force R&D team at Internet Security Systems, and as a security engineer for S1 Corporation. Caleb is a frequent speaker and press resource on Internet attacks and has contributed to Baseline Magazine, (IN)Secure Magazine and has been featured in the Associated Press.