Could Google be tricked into talking to botnets?

Cybercriminals could start to take advantage of the popularity of search engines like Google as vehicles for relaying malicious code to botnets every time a particular keyword is searched for, said one security expert.

Creators of botnets could potentially inject code in various Web sites and choose particular keywords that nobody is yet using on the Web, said Vaclav Vincalek, president of Pacific Coast Information Systems (PCIS) Ltd in Vancouver, BC.

"If the botnet starts using Google for special keywords and finds the code and executes, you can start using Google as the transmission of the code or instructions to these botnets," said Vincalek.

"Basically, [the search engines] will do the dirty work."

The strategy would work rather well considering "zillions" of people use search engines to conduct searches on a daily basis, and engines like Google are guaranteed to index all sites, said Vincalek.

While Vincalek said the approach doesn't require sophisticated technology, nor is it difficult to insert malicious code into Web sites, he isn't aware of anyone employing the strategy yet. "I haven't heard, but it's fairly straightforward," he said.

The use of search engines as vehicles for transmitting instructions to botnets is an example of how popular tools on the Web can be utilized by cybercriminals for their own gain.

Recently, Symantec Corp. identified a malware it called Downloader.Sninfs that uses micro-blogging tool Twitter as a command-and-control structure to distribute the malware Infostealer.Bancos, which then steals passwords through a phishing site posing as certain Brazilian banks.

Infected PCs were following the now-suspended Twitter RSS file "Upd4t3" that was acting as a configuration file for malware by sending information about where additional threats could be downloaded.

However, Vincalek said suspending a single Twitter account is much easier than if an entire search engine had been hijacked. "With Twitter, it was easy to shut down one account. How do you shut down Google?" he said.

Symantec Security Response is continuing to investigate the botnet that was using Twitter. At least 11,000 PCs were infected with the majority from Brazil.

The risk is "rather minimal" to Canadians and not particularly widespread vis-á-vis comparable threats, said Elias Levy, senior technical director with Symantec. The Canadian users infected number about 12, however, Levy said it is not clear which of those were people accessing the URL for research purposes, or were actual infections.

But the situation is nonetheless noteworthy. "What is interesting, and what led to it becoming more widely known, is the fact it was using Twitter as a communication mechanism -- which is a new revelation," said Levy.

The attacks were not actually using Twitter. Instead, the micro-blogging site was used to communicate with those controlling the botnets, explained Levy, "so in fact the threat was already executing on peoples' PCs."

It is unclear, he added, how PCs were infected in the first place.

What is clear, though, is the trend that the moment a communication platform like Twitter becomes popular, it naturally is a focus of cybercriminals, said Levy.

This incident should alert people that Twitter is not different than other communication media like e-mail and instant messaging, noted Levy.

"They have to remember a lot of the services are designed very open, and any information they make available can potentially be accessed by would-be attackers who can try to use that information," he said.

Potential dangers of this information falling in the wrong hands include identity theft and the ability for cyber attackers to contact unsuspecting users through those platforms, said Levy.

But while the threat appears to be focused on Brazil, Levy said, historically, such incidents have been mimicked in other countries.

Vincalek said that while social networks were really about socializing and making friends, the use of such platforms have now become a competition to see who can amass the most followers or follow the most people. "(As for) everyone you are following, do you know them?" said Vincalek.

"Everybody is excited about Twitter and they see this as a social enabler ... (but) humans everywhere are inventive and they also find ways to use this for other means that it was not originally meant for," said Vincalek.

This story, "Could Google be tricked into talking to botnets?" was originally published by ComputerWorld-Canada.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon