How do hackers automate? What do they automate? And most importantly: How can security teams block automated attacks? The latest Hacker Intelligence Initiative from Imperva's Application Defense Center will help you answer these questions and many more.
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...IJERA Editor
Malwares which is also known as malicious software’s is spreading through the exploiting the client side applications such as browsers, plug-ins etc. Attackers implant the malware codes in the user’s computer through web pages; thereby they are also known malicious web pages. Here in the paper, we present the usefulness of controlled environment in the form of client honeypots in detection of malicious web pages through collections of malicious intent in web pages and then perform detailed analysis for validation and confirmation of malicious web pages. First phase is collection of malicious infections through high interaction client honeypot, second phase is validations of the malicious infections embedded into web pages through behavior based analysis. Malwares which infect the client side applications and drop the malwares into user’s computers sometimes overrides the signature based detection techniques; thereby there is a need to study the behavior of the complete malicious web pages.
Imperva's ADC analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the ADC: (1) multiple target SQL attackers generated nearly 6x their share of the population (2) multiple target comment spam attackers generated 4.3x their share of the population (3) multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).
Taxonomy mobile malware threats and detection techniquescsandit
Since last-decade, smart-phones have gained widespr
ead usage. Mobile devices store personal
details such as contacts and text messages. Due to
this extensive growth, smart-phones are
attracted towards cyber-criminals. In this research
work, we have done a systematic review of
the terms related to malware detection algorithms
and have also summarized behavioral
description of some known mobile malwares in tabula
r form. After careful solicitation of all the
possible methods and algorithms for detection of m
obile-based malwares, we give some
recommendations for designing future malware detect
ion algorithm by considering
computational complexity and detection ration of m
obile malwares.
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...IJERA Editor
Malwares which is also known as malicious software’s is spreading through the exploiting the client side applications such as browsers, plug-ins etc. Attackers implant the malware codes in the user’s computer through web pages; thereby they are also known malicious web pages. Here in the paper, we present the usefulness of controlled environment in the form of client honeypots in detection of malicious web pages through collections of malicious intent in web pages and then perform detailed analysis for validation and confirmation of malicious web pages. First phase is collection of malicious infections through high interaction client honeypot, second phase is validations of the malicious infections embedded into web pages through behavior based analysis. Malwares which infect the client side applications and drop the malwares into user’s computers sometimes overrides the signature based detection techniques; thereby there is a need to study the behavior of the complete malicious web pages.
Imperva's ADC analyzed real-world traffic from sixty Web applications in order to identify attack patterns. The report demonstrates that, across a community of Web applications, early identification of attack sources and attack payloads can significantly improve the effectiveness of application security. Furthermore, it reduces the cost of decision making with respect to attack traffic across the community. Here's how, based on the traffic analyzed by the ADC: (1) multiple target SQL attackers generated nearly 6x their share of the population (2) multiple target comment spam attackers generated 4.3x their share of the population (3) multiple target RFI attackers generated 1.7x their share of the population (this amounted to 73% of total attacks).
Taxonomy mobile malware threats and detection techniquescsandit
Since last-decade, smart-phones have gained widespr
ead usage. Mobile devices store personal
details such as contacts and text messages. Due to
this extensive growth, smart-phones are
attracted towards cyber-criminals. In this research
work, we have done a systematic review of
the terms related to malware detection algorithms
and have also summarized behavioral
description of some known mobile malwares in tabula
r form. After careful solicitation of all the
possible methods and algorithms for detection of m
obile-based malwares, we give some
recommendations for designing future malware detect
ion algorithm by considering
computational complexity and detection ration of m
obile malwares.
Study of Web Application Attacks & Their Countermeasuresidescitation
Web application security is among the hottest issue
in present web scenario due to increasing use of web
applications for e-business environment. Web application has
become the easiest way to provide wide range of services to
users. Due to transfer of confidential data during these services
web application are more vulnerable to attacks. Web
application attack occurs because of lack of security awareness
and poor programming skills. According to Imperva web
application attack report [1] websites are probe once every
two minutes and this has been increased to ten attacks per
second in year 2012. In this paper we have presented most
common and dangerous web application attacks and their
countermeasures.
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
Client side attacks are those which exploits the vulnerabilities in client side applications such as browsers, plug-ins etc. The remote attackers execute the malicious code in end user’s system without his knowledge. Here in this research, we propose to detect and measure the drive by download class of malware which infect the end user’s system through HTTP based propagation mechanism. The purpose of this research is to introduce a class of technology known as client honeypot through which we execute the domains in a virtual machine in more optimized manner. Those virtual machines are the controlled environment for the execution of those URLs. During the execution of the websites, the PE files dropped into the system are logged and further analyzed for categorization of malware. Further the critical analysis has been performed by applying some reverse engineering techniques to categories the class of malware and source of infections performed by the malware.
Malware is a worldwide pandemic. It is designed to damage computer systems without
the knowledge of the owner using the system. Software‟s from reputable vendors also contain
malicious code that affects the system or leaks information‟s to remote servers. Malware‟s includes
computer viruses, spyware, dishonest ad-ware, rootkits, Trojans, dialers etc. Malware detectors are
the primary tools in defense against malware. The quality of such a detector is determined by the
techniques it uses. It is therefore imperative that we study malware detection techniques and
understand their strengths and limitations. This survey examines different types of Malware and
malware detection methods.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009.
Camera based attack detection and prevention tech niques on android mobile ph...eSAT Journals
Abstract Mobile phone security has become an important aspect of security issues in wireless multimedia communications. In this paper, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks. In this paper, we are going to develop an Android application such that when a user loses his/her phone, the spy camera could be launched via remote control and capture what the thief looks like as well as the surrounding environment. Then the pictures or videos along with location information (GPS coordinates) can be sent back to the device owner so that the owner can pinpoint the thief and get the phone back. We conduct a survey on the threats and benefits of spy cameras. Then we present the basic attack model and two camera based attacks: the remote- controlled real time monitoring attack and the pass code inference attack. We run these attacks along with popular antivirus software to test their stealthiness, and conduct experiment to evaluate both types of attack. Keywords: Passcode inference, limbus, eye tracking, remote controlled
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
WearableAgency - We develop home automation applicationWearable Agency
Home automation involves introducing a degree of computerized or automatic control to certain electrical and electronics system in a building.
These lighting, temperature control, etc.., this paper demonstrate a simple home automation system which contains a remote mobile host controller and several client module (home appliances).
The client modules communicate with host controllers through a wireless device such as a Bluetooth enabled mobile phone, in this case, an android based smart phone.
Study of Web Application Attacks & Their Countermeasuresidescitation
Web application security is among the hottest issue
in present web scenario due to increasing use of web
applications for e-business environment. Web application has
become the easiest way to provide wide range of services to
users. Due to transfer of confidential data during these services
web application are more vulnerable to attacks. Web
application attack occurs because of lack of security awareness
and poor programming skills. According to Imperva web
application attack report [1] websites are probe once every
two minutes and this has been increased to ten attacks per
second in year 2012. In this paper we have presented most
common and dangerous web application attacks and their
countermeasures.
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
Client side attacks are those which exploits the vulnerabilities in client side applications such as browsers, plug-ins etc. The remote attackers execute the malicious code in end user’s system without his knowledge. Here in this research, we propose to detect and measure the drive by download class of malware which infect the end user’s system through HTTP based propagation mechanism. The purpose of this research is to introduce a class of technology known as client honeypot through which we execute the domains in a virtual machine in more optimized manner. Those virtual machines are the controlled environment for the execution of those URLs. During the execution of the websites, the PE files dropped into the system are logged and further analyzed for categorization of malware. Further the critical analysis has been performed by applying some reverse engineering techniques to categories the class of malware and source of infections performed by the malware.
Malware is a worldwide pandemic. It is designed to damage computer systems without
the knowledge of the owner using the system. Software‟s from reputable vendors also contain
malicious code that affects the system or leaks information‟s to remote servers. Malware‟s includes
computer viruses, spyware, dishonest ad-ware, rootkits, Trojans, dialers etc. Malware detectors are
the primary tools in defense against malware. The quality of such a detector is determined by the
techniques it uses. It is therefore imperative that we study malware detection techniques and
understand their strengths and limitations. This survey examines different types of Malware and
malware detection methods.
Symantec propone un'analisi approfondita sui Rogue Security Software. I RSS sono applicazioni fasulle che fingono di fornire servizi di tutela della sicurezza informatica ma che, al contrario, hanno come obiettivo quello di installare dei codici maligni che compromettono la sicurezza generale della macchina.
Panoramica - Rischi - Principali modalità di diffusione e distribuzione.
Il periodo di osservazione va da luglio 2008 a giugno 2009.
Camera based attack detection and prevention tech niques on android mobile ph...eSAT Journals
Abstract Mobile phone security has become an important aspect of security issues in wireless multimedia communications. In this paper, we focus on security issues related to mobile phone cameras. Specifically, we discover several new attacks that are based on the use of phone cameras. We implement the attacks on real phones, and demonstrate the feasibility and effectiveness of the attacks. Furthermore, we propose a lightweight defense scheme that can effectively detect these attacks. In this paper, we are going to develop an Android application such that when a user loses his/her phone, the spy camera could be launched via remote control and capture what the thief looks like as well as the surrounding environment. Then the pictures or videos along with location information (GPS coordinates) can be sent back to the device owner so that the owner can pinpoint the thief and get the phone back. We conduct a survey on the threats and benefits of spy cameras. Then we present the basic attack model and two camera based attacks: the remote- controlled real time monitoring attack and the pass code inference attack. We run these attacks along with popular antivirus software to test their stealthiness, and conduct experiment to evaluate both types of attack. Keywords: Passcode inference, limbus, eye tracking, remote controlled
Vulnerability scanners a proactive approach to assess web application securityijcsa
With the increasing concern for security in the network, many approaches are laid out that try to protect
the network from unauthorised access. New methods have been adopted in order to find the potential
discrepancies that may damage the network. Most commonly used approach is the vulnerability
assessment. By vulnerability, we mean, the potential flaws in the system that make it prone to the attack.
Assessment of these system vulnerabilities provide a means to identify and develop new strategies so as to
protect the system from the risk of being damaged. This paper focuses on the usage of various vulnerability
scanners and their related methodology to detect the various vulnerabilities available in the web
applications or the remote host across the network and tries to identify new mechanisms that can be
deployed to secure the network.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
WearableAgency - We develop home automation applicationWearable Agency
Home automation involves introducing a degree of computerized or automatic control to certain electrical and electronics system in a building.
These lighting, temperature control, etc.., this paper demonstrate a simple home automation system which contains a remote mobile host controller and several client module (home appliances).
The client modules communicate with host controllers through a wireless device such as a Bluetooth enabled mobile phone, in this case, an android based smart phone.
Home System automation using android applicationdoaamarzook
This our final graduation project
Home system automation using Bluetooth , we control light and AC and Door by mobile application we made it to make it easy by user that can control and choose automation or manually .
Embedded Web Server based Home Automation using Raspberry PIEditor IJMTER
In smart home’s we have various high-tech appliances to get our jobs done and make
the life easier. It is necessary to control these home appliances smartly from anywhere. In this paper
we are implementing a system that will enable house owner to control their home through the
internet with high mobility and security. We will use the Embedded Web Server (EWS) which
enables controlling and monitoring the home appliances remotely with the help of any standard web
browser
This ppt explains about Home Automation by Android Application based Remote Control, student is provided with his/her authorized tag to swipe over the reader to record their attendance.
Edgefxkits.com has a wide range of electronic projects ideas that are primarily helpful for ECE, EEE and EIE students and the ideas can be applied for real life purposes as well.
http://www.edgefxkits.com/
Visit our page to get more ideas on popular electronic projects developed by professionals.
Edgefx provides free verified electronic projects kits around the world with abstracts, circuit diagrams, and free electronic software. We provide guidance manual for Do It Yourself Kits (DIY) with the modules at best price along with free shipping.
The aim of this project is to control the electrical appliances through a personal computer (PC). With this system, one can control the electrical appliances ON/OFF by just being seated at one place using a PC.
Comment spammers are most often motivated by search engine optimization for the purposes of advertisement, click fraud, and malware distribution. By spamming multiple targets over a long period of time, spammers are able to gain profit, and do harm. Comment spam attacks can cripple a website, impacting uptime, and compromise the user experience. Quickly identifying the source of an attack can greatly limit the attack’s effectiveness and minimize its impact on your website. This presentation will:
- Present an attack from both points of views – the attacker's and the victim’s
- Identify tools utilized by comment spam attackers
- Discuss mitigation techniques to stop comment spam in its early stages
Last month a hacker breached Yahoo!'s security systems and acquired full access to certain Yahoo! databases, leading to full access on the server. Technically, this highlights the danger of SQLi. From a business perspective, we see the security problem posed third-party code.
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
Today’s hackers ruthlessly target Common Vulnerabilities and Exposures (CVEs) to launch multi-site attacks that take control of Web servers and allow their perpetrators to flee with valuable data assets. HeartBleed stands as the most notorious example of a known vulnerability attack, but with a CVE database running in the thousands, attackers have ample opportunity to profit from unsecure Web applications. This presentation will:
- Discuss the latest data breach stats to identify where the most dangerous attacks are coming from
- Explore the attack perpetrators and reveal how they’re being successful
- Present the anatomy of a HeartBleed attack
- Provide mitigation techniques to protect against known vulnerabilities
Statistics show that organizations face an ever increasing threat from compromised insiders. These trusted end users routinely have their endpoint security tested by malware and viruses.
Industry analysts are now questioning the current and future capability of anti-virus and anti-malware solutions to mitigate these insider threats. There have been numerous high profile events over the past two years to demonstrate the problems of prioritizing security at the end-point.
SecureSphere ThreatRadar: Improve Security Team Productivity and FocusImperva
As much as 50% of the traffic hitting websites comes from known bad actors. This traffic can cause as much as 90% of security events, overwhelm security engineers and obscure the truly scary events that need further investigation. Imperva SecureSphere ThreatRadar proactively filters traffic from known bad actors so security teams can focus on what matters most. View this webinar and learn how to make your security engineering team more productive, Improve security and website infrastructure efficiency, and reduce risk and improve overall security posture.
The application threat landscape can be described as a cyber war. In this report, we explore the technical details of this war. This Web Application Attack Report identifies how many attacks a typical application can expect to suffer annually. In addition, it exposes which countries perpetrated the most attacks and compares application risks by industry. Most importantly, this report reveals the underlying distribution of attacks, presenting an accurate picture of today’s application threat landscape.
Top Five Security Must-Haves for Office 365Imperva
Whether you’ve already deployed Office 365 or have plans to, security considerations around moving your business-critical apps to the cloud are paramount. From Exchange, Yammer, and SharePoint to OneDrive and the Administrator Portal, monitoring activity and securing access is critical to mitigating threats and protecting confidential data.
6 Most Surprising SharePoint Security RisksImperva
As SharePoint gains traction in your organization, users quickly create new sites and add data to help them share information and work more efficiently. Before you know it, sensitive files are spread throughout SharePoint and security becomes crucial. Are you aware of - and prepared to stop - all the SharePoint security risks that are out there?
SharePoint is a complex, far-reaching system that's exposed internally and externally. With increased reliance on SharePoint comes multiple security risks, some obvious and some you wouldn't have imagined. Review this presentation to learn about some of the most surprising risks in SharePoint, uncovered by Imperva's security experts, including: (1) the six most surprising SharePoint threats including compromised insiders and search engine data leakage; (2) real-world examples of each threat; (3) practical methods for addressing these risks
Is your database environment growing rapidly? Is your organization at greater risk from outside hacks and compromised user accounts? An organization needs to know how to effectively monitor databases in order to prevent data loss, and significantly reduce the time to discover security risks and minimize potential damage.
View this presentation and learn how to:
- Detect and block cyber security events in real-time
- Protect large and diverse database environments
- Extend data monitoring to your Big Data and AWS environments
- Simplify compliance enforcements and reporting
Imperva's dedicated research organization, the Application Defense Center (ADC), constantly monitors hackers - and their attack methods - to isolate the most relevant attack campaigns. Based on this research data, the ADC has identified the top trends poised to have the most significant impact on the security landscape in 2014. This presentation outlines the trends that will resonate across the globe in the upcoming year like the return of compromised web servers, the rise of cloud platform breaches, and the spread of 3rd party application vulnerabilities.
This report describes Remote File Inclusion (RFI) – an attack that usually flies under the radar. Although RFI attacks have the potential to cause as much damage as the more popular SQL injection and cross-site scripting (XSS) attacks, they are not widely discussed. Imperva’s Hacker Intelligence Initiative (HII) has documented examples of automated attack campaigns launched in the wild. This report pinpoints common traits and techniques as well as the role blacklisting can play in mitigation.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially overcome these deceits by observing the actual behaviour of the code execution. In this regard, various methods, techniques and tools have been proposed. However, because of the diverse concepts and strategies used in the implementation of these methods and tools, security researchers and malware analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s implementation strategy, analysis approach, system-wide analysis support and its overall handling of binaries, helping them to select a suitable and effective one for their study and analysis.
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...Editor IJCATR
Among the various forms of malware attacks such as Denial of service, Sniffer, Buffer overflows are the most dreaded threats to computer networks. These attacks are known as botnet attacks and self-propagating in nature and act as an agent or user interface to control the computers which they attack. In the process of controlling a malware, Bot header(s) use a program to control remote systems through internet with the help of zombie systems. Botnets are collection of compromised computers (Bots) which are remotely controlled by its originator (Bot-Master) under a common Command-and-Control (C&C) structure. A server commands to the bot and botnet and receives the reports from the bot. The bots use Trojan horses and subsequently communicate with a central server using IRC. Botnet employs different techniques like Honeypot, communication protocols (e.g. HTTP and DNS) to intrude in new systems in different stages of their lifecycle. Therefore, identifying the botnets has become very challenging; because the botnets are upgrading their methods periodically for affecting the networks. Here, the focus on addressing the botnet detection problem in an Enterprise Network
This research introduces novel Solution to mitigate the malicious activities of Botnet attacks through the Principle of component analysis of each traffic data, measurement and countermeasure selection mechanism called Malware Hunter. This system is built on attack graph-based analytical models based on classification process and reconfigurable through update solutions to virtual network-based countermeasures.
Dominating headlines for the past year, SQLi has become a widely-known, even outside the circle of security professionals. And for good reason: SQL injection is probably the most expensive and costly attack since it is mainly used to steal data. Famous breaches, including Sony, Nokia, Heartland Payment Systems and even Lady Gaga's Web sites were compromised by hackers who used SQL injection to break-in to the application's backend database. LulzSec, the notorious hacktivist group, made SQLi a key part of their arsenal. This report details how prevalent SQL injection attacks have become, how attacks are executed and how hackers are innovating SQLi attacks to bypass security controls as well as increase potency.
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLSIJNSA Journal
Malware writers have employed various obfuscation and polymorphism techniques to thwart static analysis
approaches and bypassing antivirus tools. Dynamic analysis techniques, however, have essentially
overcome these deceits by observing the actual behaviour of the code execution. In this regard, various
methods, techniques and tools have been proposed. However, because of the diverse concepts and
strategies used in the implementation of these methods and tools, security researchers and malware
analysts find it difficult to select the required optimum tool to investigate the behaviour of a malware and to
contain the associated risk for their study. Focusing on two dynamic analysis techniques: Function Call
monitoring and Information Flow Tracking, this paper presents a comparison framework for dynamic
malware analysis tools. The framework will assist the researchers and analysts to recognize the tool’s
implementation strategy, analysis approach, system-wide analysis support and its overall handling of
binaries, helping them to select a suitable and effective one for their study and analysis.
Autonomic Anomaly Detection System in Computer Networksijsrd.com
This paper describes how you can protect your system from Intrusion, which is the method of Intrusion Prevention and Intrusion Detection .The underlying premise of our Intrusion detection system is to describe attack as instance of ontology and its first need is to detect attack. In this paper, we propose a novel framework of autonomic intrusion detection that fulfills online and adaptive intrusion detection over unlabeled HTTP traffic streams in computer networks. The framework holds potential for self-governing: self-labeling, self-updating and self-adapting. Our structure employs the Affinity Propagation (AP) algorithm to learn a subject’s behaviors through dynamical clustering of the streaming data. It automatically labels the data and adapts to normal behavior changes while identifies anomalies.
What is the watering hole techniqueThe term watering hole” refer.docxsorayan5ywschuit
What is the watering hole technique?
The term “watering hole” refers to initiating an attack against targeted businesses and organizations. In a watering hole attack scenario, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection.
How does a watering hole technique work?
A watering hole attack typically works this way:
Attackers gather strategic information that they can use to gain entry into their targeted organization. This step can be compared to a military reconnaissance mission. The information gathered may include insights on trusted websites often visited by the employees or members of their targeted entity. The process of selecting websites to compromise was initially dubbed “strategic web compromises.”
Attackers insert an exploit into the selected sites.
Once targeted victims visit the compromised site, the exploit takes advantage of software vulnerabilities, either old or new, to drop malware. The dropped malware may be in the form of a remote access Trojan (RAT), which allows attackers to access sensitive data and take control of the vulnerable system.
Where is this attack technique used?
Watering hole attacks were previously documented in several high-profile cases which include:
VOHO. In mid-2012 RSA identified a campaign known as VOHO, which was aimed at a particular group of organizations, specifically those involved with business and local government agencies in certain geographic areas. The attackers compromised carefully selected sites by inserting malicious JavaScript to deliver a Gh0st RAT variant. Gh0st RATs were previously seen in other attacks that targeted civic organizations and diplomatic entities worldwide.
Attack on high-profile groups. Just before the end of 2012, the Council on Foreign Relations (CFR) website was compromised to host a zero-day exploit in Internet Explorer. Those who visited the site were served with a backdoor malware. Microsoft addressed this vulnerability though the Microsoft Security Bulletin MS13-008.
Why is it effective?
Attackers incorporate strategies to circumvent the targeted organizations’ defenses in order for watering hole attacks to be effective. These may come in the form of outdated systems or simply human error.
In watering hole attacks, the goal is not to serve malware to as many systems possible. Instead, the attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. This makes the watering hole technique effective in delivering its intended payload.
Aside from carefully choosing sites to compromise, watering hole attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits.
This doesn’t mean that attackers don’t target patched system vulnerabilities. Because of patch management difficulties in an enterprise setting, IT administrators may delay deploying critical upda.
Web Application Attack Report (Edition #1 - July 2011)Imperva
As a part of its ongoing Hacker Intelligence Initiative, the Imperva Application Defense Center (ADC) monitored and categorized individual attacks across the internet over a period of six months, December 2010 through May 2011. This research encompasses attacks witnessed via onion router (TOR) traffic as well as attacks targeting 30 different enterprise and government Web applications.
Today internet security is a serious problem. For every consumer and business that is on the Internet,
viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security
professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but
these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools
used or even the methods employed. Given all of these security questions honeypots are a novel approach to
network security and security research alike. It is a resource, which is intended to be attacked and compromised to
gain more information about the attacker and the used tools. It can also be deployed to attract and divert an
attacker from their real targets. Honeypots is an additional layer of security. Honeypots have the big advantage that
they do not generate false alerts as each observed traffic is suspicious, because no productive components are
running on the system. The levels of interaction determines the amount of functionality a honeypots provides that
is low and high interactions.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
Basic survey on malware analysis, tools and techniquesijcsa
The term malware stands for malicious software. It is a program installed on a system without the
knowledge of owner of the system. It is basically installed by the third party with the intention to steal some
private data from the system or simply just to play pranks. This in turn threatens the computer’s security,
wherein computer are used by one’s in day-to-day life as to deal with various necessities like education,
communication, hospitals, banking, entertainment etc. Different traditional techniques are used to detect
and defend these malwares like Antivirus Scanner (AVS), firewalls, etc. But today malware writers are one
step forward towards then Malware detectors. Day-by-day they write new malwares, which become a great
challenge for malware detectors. This paper focuses on basis study of malwares and various detection
techniques which can be used to detect malwares.
Similar to Automation of Web Application Attacks (20)
One Poll survey of 250 IT professionals on the state of application programming interface (API) security, which highlights growing concern for cybersecurity risk related to API use.
A survey of 170 cyber security professionals taken at Infosecurity 2017 on attitudes related to the General Data Protection Regulation - GDPR - and the need for a data privacy officer.
Beyond takeover: stories from a hacked accountImperva
In this presentation, Imperva researchers explore the dynamics of credential theft. The team reversed a phishing hook to hack and track phishers using the same methods that phishers use on their victims. The presentation explores questions such as how long it takes from takeover to exploitation, what the attacker looks for in the hacked account, which decoys attract their attention, and what security practices they use to cover their tracks. Check out the slides and read the report to learn about real-world takeover stories and best practices for breach detection and remediation to protect your data. Read the full report: https://www.imperva.com/DefenseCenter/HackerIntelligenceReports
Research: From zero to phishing in 60 seconds Imperva
Here are the highlights of our research on do-it-yourself kits for phishing attacks, allowing attackers to quickly and elegantly mount a phishing campaign. These slides present examples of phishing kits, reviews their main capabilities, and shows a statistical and clustering analysis of our collection of phishing kits. The main goal of our research is to shed light on the dynamics of phishing and the distribution of phishing kits in the underground community
Making Sense of Web Attacks: From Alerts to NarrativesImperva
Co-Founder & CTO of Imperva, Amichai Shulman, discusses how recognizing the security narrative in your web-application is a big challenge. On the one hand security products are getting more sensitive and are detecting even minor anomalies in incoming web traffic, while on the other hand attacks are becoming more automated and traffic intensive. As a result, security operators find themselves sifting through hundreds of thousands of individual alert messages per day, striving to know what the “#@$%” is going on. These slides present our innovative system that groups individual alerts from a web application firewall into attack narratives. They also present real-world cases and show results.
How We Blocked a 650Gb DDoS Attack Over LunchImperva
Recently, our network was hit with one of the largest DDoS attacks the Internet has seen. We’ll describe the technology and peering architecture used to mitigate the attack. Find out how we enjoyed lunch while automatically mitigating an enormous attack with zero downtime.
A survey of 310 IT security professionals taken at the Infosecurity Europe trade show by Imperva. The survey found that when it comes to insider threats, over half (58 percent) of the IT security professionals were deeply concerned about careless users who unwittingly put their organization’s data at risk.
The slideshow lists the results of a survey on the current state of company preparedness for the European General Data Protection Regulation (GDPR). The survey of 170 security professionals was taken at RSA 2017, the world’s largest security conference.
This presentation, Ransomware Rising, details the results of a survey of security professionals taken at RSA 2017, the world’s largest security conference, exploring their experiences with ransomware.
Conducted Feb. 13-17, at RSA 2017, the in-person survey is based on responses from 170 attendees including IT professionals, managers and executives from the U.S. (77 percent), EMEA (13 percent) and other regions (11 percent).
To learn more about preventing ransomware visit, http://bit.ly/2nwKICL
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
Contractors, privileged vendors and staff additions can pose cyber security risks to your enterprise. Learn how you can protect your data from third parties: http://bit.ly/2o5jUgr
Time to rethink your phishing strategy? Read about how the low cost of launching a phishing campaign and the high projected return on investment for cybercriminals could affect you: http://bit.ly/2nmdSVm
Learn about the growing cyberattack trends, the biggest obstacles in the security industry and threat intelligence buying motivations: http://bit.ly/1WVmlu3
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
Learn where you are most vulnerable to credit card fraud, how illegal "carding" and "cashing out" kill chains work and why Web Application Firewalls and threat intelligence are necessary to prevent attacks. Find out how you can be prepared: http://bit.ly/2nZO6rE
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
Although HTTP/2 promises faster speeds and better performance than its predecessor, its combination of new mechanisms and implementations reintroduces some flaws present in earlier versions. Read more here: http://bit.ly/2nGcpcq
Users and apps pose the biggest risk to your enterprise data with hackers being financially motivated to gain unauthorized access to data. Find out how to prevent major data breaches from internal and external threats: http://bit.ly/2oFImpQ
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
The number one source of data breaches are web app attacks. It doesn't matter where your data resides because cyber criminals and compromised users will find a way to access it. Learn the steps you can take and why you have to protect data where it lives: http://bit.ly/2p3jkgK
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Automation of Web Application Attacks
1. April 2012
Hacker Intelligence Initiative, Monthly Trend Report #9
Automation of Attacks
1. Overview
Cyber-criminals are increasingly using automation to carry out their attacks on web applications. This phenomenon has
several reasons:
› Automatic tools enable an attacker to attack more applications and exploit more vulnerabilities than any manual
method possibly could.
› The automatic tools that are available online save the attacker the trouble of studying attack methods and coming
up with exploits to applications’ vulnerabilities. An attacker can just pick a set of automatic attack tools from the ones
that are freely available online, install them, point them at lucrative targets, and reap the results.
› These tools use resources (like compromised servers that are employed as attack platforms) more efficiently.
› Automatic tools open new avenues for evading security defenses. For example, such a tool can periodically change
the HTTP User Agent header that is usually sent in each request to an application and that may be used to identify
and block malicious clients. As another example, sophisticated automatic tools can split the attack between several
controlled hosts, thus evading being blacklisted.
This report analyzes recently observed trends in the automation of attacks on web applications. The focus is on SQL Injection
(SQLi1) and Remote File Inclusion (RFI2) attacks. Our analysis points out some warning signs that an automatic attack is in
progress and suggests countermeasures for mitigating it. We conclude this report with an analysis of three automated attacks
and demonstrate how each can be identified using the suggested identification methods.
See Imperva’s HII report: http://www.imperva.com/download.asp?id=352
1
See Imperva’s HII report: http://www.imperva.com/download.asp?id=60
2
3. Hacker Intelligence Initiative, Monthly Trend Report
2. Detailed Analysis
Hackers considering how to attack Web applications weigh the benefits of a successful attack (money, prestige within their
peers, etc.) against the effort, time, and money needed to accomplish the attack. Using software to attack other software
shifts the balance in this tradeoff, especially if the used software is already available: an unskilled, inexperienced attacker
can easily attack hundreds of applications with a press of a key within minutes and collect his reward relatively safe of the
risks of detection and accountability.
Publicly available software tools assist the attacker in all the phases of an attack: finding potentially vulnerable applications
(for example, using Google Dorks3); scanning these applications to find the unplugged security holes they actually contain;
preparing exploits tailored to the found vulnerabilities; and finally exploiting the found vulnerabilities. Attack tools can
work “vertically,” applying various and more and more sophisticated attacks against a chosen victim, or “horizontally,” doing
a wide but shallow scan for easy pickings within the multitude of applications on the Web. Regardless of the way the hacker
employs the tools in his arsenal, from defensive perspective identifying that incoming traffic is generated by a software
tool is a warning signal that an attack may be in progress. Such an attack may be especially harmful, due to its speed and
thoroughness at finding and exploiting vulnerabilities. On the other hand, if automatic attack can be reliably identified, this
also presents an opportunity to block most of the malicious traffic directed at the protected application.
2.1 Automation identification methods
2.1.1 Traffic shape
Traffic characteristics like attack rate, attack rate change and attack volume are prime candidates to identify attacks that
were initiated using automatic tools. Obviously, if a single host issues HTTP requests to an application at a high rate (e.g.,
12 requests per minute) this traffic is software-generated. As Table 1 shows, attack rate alone is enough to flag a significant
number of attacks (especially for RFI) as being software-generated.
Consecutive attacks from same host with Ratio of Identified automated attacks
Attack type Attacks
minimal rate of 12 per minute (based on attack rate)
RFI 60,656 18,257 30.1%
SQLi 239,993 177,872 74.1%
Table 1: High-rate automated attacks, January-March
Attackers are aware that traffic shape can be used to identify and mitigate attacks that are directed at a specific site.
Advanced automation tools can introduce random timeouts between attacks on a site to imitate the behavior of an
innocent human user. An attack tool can also use the time between attacks on a specific application to attack multiple
other applications on other sites. Thus, each application sees just the low rate of attack directed at it. Another option for
attackers to avoid rate-based detection of their activity is to issue the attack from multiple hosts. This kind of distributed
attack is still coordinated by a single human attacker, but the victim application logs only low traffic rate from each sender
of HTTP requests.
An automatic tool attacking an unknown application must run through a long phase of exploring combinations of the
application’s URLs and parameters to find vulnerable ones. If the tool tries to avoid rate-based defense mechanisms by
slowing down its interaction with the application, it will generate an unusually long communication pattern. A human user,
on the other hand, will rarely interact with an application continuously for hours at a time.
A high rate of attacks from a host should not be used as an exclusive indicator that this specific host initiates automated
attacks. For example, large parts of the traffic directed at an application may pass through Content Delivery Network
servers or other types of Web proxies. Such Web elements cannot be “blamed” for the traffic that passes through them. To
get a complete and truthful identification that an application is under automated attack, generic traffic shape thresholds
should be combined with other attack indicators or application-specific profiling.
See Imperva’s HII report: http://www.imperva.com/download.asp?id=171
3
Report #9, April 2012 3
4. Hacker Intelligence Initiative, Monthly Trend Report
2.1.2 HTTP headers
Attack automation tools that are freely available online are often published as legitimate penetration testing tools.
Therefore, they mark the traffic they produce with an application-specific User Agent string. For example, the popular SQL
injection tools sqlmap4 and Havij5 send requests with a User Agent containing “sqlmap” and “Havij,” respectively. These tools
are often used by malicious attackers, so a black list of values of the User Agent header is sometimes useful for identifying
automatic attacks, even when its traffic volume is low. However, the tools can masquerade as prevalent browsers by using
the same header’s value they generate. During January-March, 3.8% of the SQLi attacks we observed contained a “havij” User
Agent, and 4.6% contained a “sqlmap” User Agent. Another 4.7% of the SQLi attacks had “NetSparker” User Agent, but they all
composed a single attack. Similarly, “libwww-perl” appeared in the User Agent of 2.7% of the RFI attacks we observed during
this period. This indicates that these attacks were initiated from scripts written in Perl – one of the favorite programming
languages for hackers (though it has many legitimate uses as well).
Generally, HTTP requests generated by automation tools often do not contain headers6 that web browsers usually send,
like Accept-Language or Accept-Charset that shows the languages and character sets that the client can handle. Again, these
headers can be faked, and on the other hand, a benevolent client may also drop these headers, however the absence hints
that the traffic should be closely monitored.
As the figure shows, 98% of RFI attacks and 88% of SQLi attacks are automated, as indicated by the high rate of their
initiation from the attacking host or the missing HTTP Accept headers in the attack messages (or both).
RFI RFI SQLi SQLi
High Rate and Missing Accept Headers High Rate and Missing Accept Headers
Missing Accept Headers Missing Accept Headers
High Rate High Rate
Figure 1: Distribution of RFI and SQLi attacks: Having high initiation rate and/or missing Accept headers
Looking at the pattern of occurrences of automated attacks as revealed by these indicators (Figure 2), attacks without
Accept headers are sometimes sent at a high rate. However, tools also send them very frequently at low rates, as can be seen
for RFI in Figure 2. This can be explained as either a deliberate ploy to avoid detection or as a side effect of the tool being
used to attack multiple applications concurrently and not for a concentrated attack on a single application. Furthermore, the
graph reveals different patterns between the two attack types: While in RFI, there is a lot of relatively low-rate traffic without
Accept headers; in SQLi, the most dominant attacks have high rate and still contain the Accept headers. This distinction
further emphasizes the importance of using multiple indicators to identify automated malicious attacks, as each of them
yields somewhat different portions of the traffic.
4
See: http://sqlmap.sourceforge.net/
5
See: http://itsecteam.com/en/projects/project1.htm
6
See: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
Report #9, April 2012 4
5. Hacker Intelligence Initiative, Monthly Trend Report
Figure 2: Occurrence of automated attacks having high initiation rate and/or missing Accept headers, during the last week of
March 2012.
2.1.3 Tool fingerprints
Automatic attack tools implement some specific algorithm for finding and exploiting application vulnerabilities. Though
each tool may be able to adapt to various attack targets and scenarios, the traffic it produces is eventually limited by the
software itself. Analyzing the history of attacks can sometimes show patterns that match the tool that generated them, like
specific strings in generated SQL fragments used in SQL injection. Such patterns can also be extracted directly from the
source code of the tool, if it is available for investigation.
Fingerprints of tools can be used to identify automated attacks with high certainty. However, each one is specialized to
some versions of a specific tool, so an ongoing research effort is needed to keep a list of such fingerprints relevant for newly
published attack tools.
Report #9, April 2012 5
6. Hacker Intelligence Initiative, Monthly Trend Report
2.1.4 Host’s black lists
When an automated attack is identified from a host, it is very likely that the malicious application that ran on this host will
continue to attack the same or other applications in the near future. Therefore, the IP addresses of such suspicious hosts may
be collected in a black list, and any traffic from them should be closely examined. The IPs in the black list contents should be
expired or refreshed periodically according to new indicators of the traffic content from the respective hosts.
As an example of the potential usefulness of a blacklist of IPs that initiated automated attacks, we took a closer look at the
hosts that issued attacks without Accept headers during January-March. 4,990 hosts issued such automated SQLi attacks,
and 2,730 hosts issued such automated RFI attacks. We observed that for these hosts, the median of the count of attacks and
attacks’ activity days is low. Also, the distribution of these values is wildly divergent, as seen from the ratio of the standard
deviation to the mean (see Table 2).
However, as Figure shows, a large group of the hosts involved in SQLi attacks were very actively attacking for about three
weeks, and a group of hosts continued to attack for much longer, up to 80 days. Figure shows that a large portion of RFI
attackers was very active during even longer periods. Attackers that were active for at least three days accounted for 30% of
the automated SQLi attacks and 61% of the automated RFI attacks.
We conclude that with appropriate thresholds on attack activity period of identified automatic attackers, blacklists of these
attackers can be extracted from observed attack traffic. These lists can be used to block significant portions of following
attacks. As can be seen in Figures 3 and 4, in both attack types some attacks last for more than two months, thus making
blacklists a useful tool for blocking attackers. The value of each list expires within a few days or weeks (depending on the
attack type), but with periodic refreshment this simple mechanism is a very useful security tool.
Its importance is enhanced when blacklists are shared by communities of applications, since an attacker identified by one
application can be blacklisted and blocked by all other applications before any harm can be done.
Median Mean Standard Deviation Max
Attacks activity days 1 3.28 8.4 81
SQLi
Count of attacks 3 21.7 334.4 19,119
Attacks activity days 1 5.4 12.7 90
RFI
Count of attacks 4 21.3 188.1 8,956
Table 2: Attacking hosts’ activity characteristics
Report #9, April 2012 6
7. Hacker Intelligence Initiative, Monthly Trend Report
Figure 3: Activity of hosts issuing automated SQLi attacks (without Accept headers). The number of attacks is presented on
logarithmic scale.
Figure 4: Activity of hosts issuing automated RFI attacks (without Accept headers). The number of attacks is presented on
logarithmic scale.
2.2 Automatic attacks trends
2.2.1 Geographic origin of attacks
The observed SQLi attacks without Accept headers during January-March originated from 4,990 hosts located at 74
countries. For RFI, the attacks came from 2,730 hosts and 69 countries. As Table 3 shows 80% of the automated SQLi
attackers were hosts in the United States. While 49% of RFI attackers were located at the United States, the rest were more
evenly distributed. This is also illustrated in Figures 5 and 6.
Report #9, April 2012 7
8. Hacker Intelligence Initiative, Monthly Trend Report
SQLi RFI
Country Hosts % of Hosts Country Hosts % of Hosts
USA 3994 80 USA 1337 49
China 355 7 Germany 170 6
United Kingdom 75 2 France 146 5
Russian Federation 49 1 United Kingdom 124 5
Canada 40 1 Canada 105 4
Republic of Korea 33 1 Republic of Korea 80 3
Germany 31 1 Netherlands 68 2
Brazil 29 1 Brazil 54 2
India 28 1 Russian Federation 51 2
France 24 1 Italy 41 2
Table 3: Geographic distribution7 of hosts sending automated (without Accept headers) RFI and SQLi attacks
Figure 5: Hosts initiating automated (without Accept headers) SQLi attacks per country
Figure 6: Hosts initiating automated (without Accept headers) RFI attacks per country
The number of hosts per country is not normalized by the total number of hosts on each country
7
Report #9, April 2012 8
9. Hacker Intelligence Initiative, Monthly Trend Report
A further analysis of the attacking hosts that issued high-rate attacks (that is, higher than 12 requests per minute), revealed a
somewhat different pattern.
As shown in Table 4, 30% of SQLi attacking hosts originate from China, exceeding even the USA. These two countries
account together for more than half the high-rate SQLi attacks, while the other attackers are distributed among some quite
unusual countries, like Egypt, Morocco, and Luxemburg. This might be consistent with the spreading use of automated,
user-friendly attacking tools that enables inexperienced users to execute attacks rather easily.
SQLi RFI
Country Hosts % of Hosts Country Hosts % of Hosts
China 98 30 USA 58 39
USA 78 24 Germany 16 11
Netherlands 9 3 France 11 7
Morocco 8 2 Republic of Korea 5 3
Egypt 7 2 Italy 5 3
Luxemburg 7 2 Netherlands 5 3
Brazil 7 2 Spain 4 3
France 7 2 Turkey 4 3
Indonesia 6 2 Canada 4 3
Russian Federation 6 2 Japan 2 1
Table 4: Geographic distribution8 of hosts sending high-rate RFI and SQLi attacks
Figure 7: Hosts initiating high-rate SQLi attacks per country
The number of hosts per country is not normalized by the total number of hosts on each country
8
Report #9, April 2012 9
10. Hacker Intelligence Initiative, Monthly Trend Report
Figure 8: Hosts initiating high-rate RFI attacks per country
2.3 Compromised servers as attack platforms
We have confirmed9 that at least 57 of the 4,990 hosts that issued automated SQLi attacks were compromised HTTP servers.
Similarly, we have confirmed that 462 of the 2,730 hosts that issued automated RFI attacks were compromised HTTP servers.
The high ratio of compromised servers in RFI attacks (17%) is interesting, since this kind of attack is intended to take control
of a web application. The exploits used in RFI attacks often let the attacker maintain a hidden control channel to the server
on which the compromised application is deployed. Through this channel, the attacker combines the infected server into
his distributed platform of computing resources, and uses it to attack yet other applications on the Internet. This growing
network of maliciously controlled servers can be compared to spreading of a disease within a population through carriers.
2.4 Automation Examples
In this section we demonstrate how the above-mentioned methods can be used to identify automated attacks, as were
observed in our data. Although these attacks use different attack methods, different tools and have different aims, using the
outlined methods in collaboration enables us to identify all of them.
2.4.1 Havij
As mentioned earlier, Havij is a popular freely available SQL injection tool, known for its efficiency.
2.4.1.1 Rate
The average rate was 70 requests per minute, with the slowest attack having 38 requests per minute obviously much faster
than any human attacker could reach manually.
Other hosts that participated in the attacks may be compromised servers, but we were unable to confirm this
9
Report #9, April 2012 10
11. Hacker Intelligence Initiative, Monthly Trend Report
2.4.1.2 HTTP Headers
None of the requests had Accept-Language or Accept-Charset headers, suggesting they were not generated by a normal
browser.
Most of the requests had Havij typical user agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727) Havij. These requests also had other headers, like “Host” and “Accept.” The rest of the requests had no headers at
all, and, therefore, were identified by other measures.
2.4.1.3 Tool Fingerprint
The injected SQL strings usually contain a constant number that is repeated in changing amount of times. (For example:
999999.9 union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536—)
This number can be used as a fingerprint unique for the identification of Havij-generated attacks.
2.4.1.4 2.4.2.4 Blacklists/ Reputation
A query in an IP database revealed that the attacking IP is recognized as a mail server and dictionary attacker.
2.4.2 Nikto Scanner
Nikto is an open-source scanner that tests for various weaknesses and vulnerabilities, among which RFI, Directory Traversal,
Cross-Site Scripting, and SQL injection. It also tests for outdated versions and potentially dangerous files.
2.4.2.1 Rate
The observed attack vectors had a rate of 540 requests per minute, with the slowest vector having 264 requests per minute.
Such high-rate activity should immediately set an alarm.
2.4.2.2 HTTP Headers
As stated on its website: “Nikto is not designed as an overly stealthy tool10…”.
Thus, all the requests contain the typical user agent that contains, apart from the tool’s name and version, also a “Test ID”
that identifies the specific vulnerability scanned.
In the observed attack, TestIDs go from 1 to 6486. e.g. Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:000108)
Each Test ID seeks a certain vulnerability in a predefined set of locations. For example, Test:000003 requests look for the
file cart32.exe in 21 different locations on the attacked machine. The same goes for Test:000004, that searches the file
classified.cgi. Each numeric TestID fits a certain file. Other Test IDs contain the type of the test, for example:
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:Port Check)
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:embedded detection)
Other than the user agent, headers like “Content-Type” and “Connection” appear occasionally in Nikto requests, but neither
of the requests had Accept headers.
2.4.2.3 Tool Fingerprint
As the User Agent appears in all the requests, it serves as a good fingerprint to identify the tool.
Another unique identifier can be found in the URL Nikto uses in its RFI tests; in each request, the URL http://cirt.net/rfiinc.
txt? is inserted in a different HTTP parameter. The file contains the php code: <?php phpinfo(); ?> that simply checks
whether this parameter is vulnerable for RFI attacks.
2.4.2.4 Reputation
In this case, there was nothing to suggest the source of the attack had malicious reputation. The source IP was allocated to
LightEdge.com, a Cloud computing provider.
To conclude, attacks generated by Nikto scanner have a typical user agent, no Accept headers, show high frequency of
requests and have a typical URL used for RFI.
See: http://cirt.net/nikto2
10
Report #9, April 2012 11