July 4th, 2007
The dark side of search engines
* Ryan Naraine is on vacation.
Guest Editorial by Roger Thompson
As a malware researcher, I spend the majority of my days days studying the dark side of the web, (is that a good job or what?), and one of the most interesting things I get to see are the weird, and sometimes wonderful, search engine queries that result in dangerous Web sites.
Most people probably think that as long as they don’t visit Web sites of ill-repute, they’ll be quite safe, but that’s not quite true. Yes, it’s undoubtedly dangerous to walk on the virtual wild side, but we’ve noticed a disturbing trend towards hacking innocent websites, and turning them into unwitting lures for the exploit servers.
The first important trend is that, about a eighteen months ago, there was just one commercial package of web-based exploit software, WebAttacker. Today, WebAttacker is gone, it’s developers unable to keep the pace, but replaced by at least three better-written competitors — WebAttacker2/MPack, Neosploit, and at least one other that we don’t have a name for yet.
[ ALSO SEE: Google’s anti-malware team comes out of the shadows ]
The second trend is that, about eighteen months ago, the perpetrators were probably equally divided between trying to install adware on the victim’s computer, and trying to sell the victim a spyware remover to remove the spyware they just installed, along with other payloads such as keyloggers and backdoors for fun and profit. Today, the semi-innocent, arguably aggressive marketing has all but disappeared, and has been replaced by overtly criminal activity. They want your bank accounts, folks, and they’re getting better at it all the time.
The third trend is that mass-defacements of websites seems to be being replaced by mass-infection of websites. Several tools are being sold which can probe massive numbers of websites, trying to inject iFrames that reach back to the exploit server, and thus result in innocent queries becoming dangerous searches.
Here are some examples of recent queries where the wrong choice results in an exploitive website:
“music without voice” — if you make the wrong choice, you get a WebAttacker2-infected website
“famous cubists” — wrong choice gets a WebAttacker2
“florida baptist churches” — the wrong choice gets a website infected with an MDAC exploit
“court instruments” — the wrong choice finds a Web site that links to a known rootkitter.
So what does the future hold?
The bad guys understand that while firewalls do a pretty good job of keeping out network worms, web browsers start from inside the firewall, and therefore create an instant tunnel right through the firewall.
I’m fairly confident that the mass infection tools will continue to improve, and the result of that will be more and more hacked innocent lures. They get cleaned up quite quickly but just as quickly others are hacked and take their place.
* Roger Thompson is an anti-virus industry veteran, having started one of the first anti virus companies in Australia in 1987. He is chief technical officer of Exploit Prevention Labs.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
