Computerworld Canada - Cybercriminals could start to take advantage of the popularity of search engines like Google as vehicles for relaying malicious code to botnets every time a particular keyword is searched for, said one security expert.
Creators of botnets could potentially inject code in various Web sites and choose particular keywords that nobody is yet using on the Web, said Vaclav Vincalek, president of Pacific Coast Information Systems (PCIS) Ltd in Vancouver, BC.
"If the botnet starts using Google for special keywords and finds the code and executes, you can start using Google as the transmission of the code or instructions to these botnets," said Vincalek.
"Basically, [the search engines] will do the dirty work."
The strategy would work rather well considering "zillions" of people use search engines to conduct searches on a daily basis, and engines like Google are guaranteed to index all sites, said Vincalek.
While Vincalek said the approach doesn't require sophisticated technology, nor is it difficult to insert malicious code into Web sites, he isn't aware of anyone employing the strategy yet. "I haven't heard, but it's fairly straightforward," he said.
The use of search engines as vehicles for transmitting instructions to botnets is an example of how popular tools on the Web can be utilized by cybercriminals for their own gain.
Recently, Symantec Corp. identified a malware it called Downloader.Sninfs that uses micro-blogging tool Twitter as a command-and-control structure to distribute the malware Infostealer.Bancos, which then steals passwords through a phishing site posing as certain Brazilian banks.
Infected PCs were following the now-suspended Twitter RSS file "Upd4t3" that was acting as a configuration file for malware by sending information about where additional threats could be downloaded.
However, Vincalek said suspending a single Twitter account is much easier than if an entire search engine had been hijacked. "With Twitter, it was easy to shut down one account. How do you shut down Google?" he said.
Symantec Security Response is continuing to investigate the botnet that was using Twitter. At least 11,000 PCs were infected with the majority from Brazil.
The risk is "rather minimal" to Canadians and not particularly widespread vis-á-vis comparable threats, said Elias Levy, senior technical director with Symantec. The Canadian users infected number about 12, however, Levy said it is not clear which of those were people accessing the URL for research purposes, or were actual infections.
But the situation is nonetheless noteworthy. "What is interesting, and what led to it becoming more widely known, is the fact it was using Twitter as a communication mechanism -- which is a new revelation," said Levy.
The attacks were not actually using Twitter. Instead, the micro-blogging site was used to communicate with those controlling the botnets, explained Levy, "so in fact the threat was already executing on peoples' PCs."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
