Automated Google-Hacking

Hackers are conducting reconnaissance efforts on a massive scale.  Attackers are increasingly leveraging the power of search engines, like Google, to carry out probe and enumeration exercises against vulnerable websites, according to a report by Imperva.  Google and other search engines have put in place “anti-automation” measures to hamper search engine abuse, but staying ahead of a determined opponent is proving to be quite challenging.

Dubbed “Google Hacking,” hackers are using specially crafted search queries run on their botnet zombies’ browsers to generate more than tens of thousands of queries a day and by-pass the deterrent measures.  The aim of running these queries is to ultimately identify potential attack targets and to build an accurate picture of the resources within that server that can be potentially exposed.  By automating the queries, using zombies to distribute the load and parse the results, the attacker can carry out a very large number of search queries, filter the returned results and only needs to bother with a short list of potentially exploitable sites in a very short time and with minimal effort.  Hackers take advantage of a botnet’s dispersed nature, giving search engines the impression that specific individuals are performing a routine search.

One common feature of most search engines is that they can be directed to return results that are focused on specific potential targets by using a set of query operators.  For example, the attacker may focus on all potential victims in a specified geographic location (i.e. per country).  In this case, the query includes a “location” search operator.  In another scenario, an attacker may want to target
all vulnerabilities in a specific web site, and achieves this by issuing different queries containing the “site” search operator.  Only those sites that expose that particular weakness or use that specific code will be present in the results displayed.

From the report, here is the Hacker’s 4 Step Industrialized Attack: Continue reading

Chrome & Win-7 Security By-Passed

French security company Vupen says that it’s hacked Google Chrome, sidestepping the browser’s built-in “sandbox” AND also evading Windows 7’s integrated anti-exploit technologies.  The claims have not yet been confirmed by the vendors.

The exploit is one of the most sophisticated pieces of code that Vupen has created so far, according to their blog.  The exploit can be served from a malicious Web site, and if a Chrome user surfed to that site, the exploit executes various payloads to download an executable from a remote location, launching it outside the sandbox at “Medium integrity level”.  It is silent (no crash after executing the payload), it relies on undisclosed (‘zero-day’) vulnerabilities and it works on all Windows systems.

Vupen posted a video demonstration of its exploit on YouTube.  That is what I call “fugly”.  I hope that Vupen keeps this code wrapped up tightly until both Microsoft and Google have had a crack at patching against it.


Google Buys Malware Research Firm Zynamics

Google has bought reverse-engineering and analysis tools firm Zynamics. Financial terms of the deal, announced on Tuesday, were undisclosed. 

Google’s security focus has been geared towards managing search engine optimisation (SEO), a tactic that causes links to fake-AV sites to appear prominently in searches for topical terms, and in the classification and blocking of malicious websites.  I expect that Zynamics existing malware analysis tools including BinDiff, BinNavi and VxClass,will aid in this effort.

Google Stings Microsoft

Google’s executives have grown suspicious of how closely Microsoft’s search engine results mirror their own. On Feb. 1, the blog Search Engine Land detailed Google’s “sting operation” against Bing.  

  • First, Google found some search terms with no matches on either search engine.
  • Next, Google created “honeypot” pages that appeared on top of its search results for those terms.
  • When a portion of Bing search results mirrored Google’s honeypot tainted results, accusations flew.

Continue reading

Google, Microsoft Hosted Malware Laced Ads

For a few days this week, criminals managed to infect Google’s DoubleClick and Microsoft’s Hotmail online ad networks with malicious advertisements that attacked users’ PCs, according to security consultancy Armorize.  The attacks started around Dec. 5 and lasted a few days, sending victims who clicked on the ads to malicious Web pages.  The pages took advantage of known software bugs to install backdoor programs, giving the attackers control of the victims’ PCs, or installing Fake-AV software that made it appear as though the PCs are filled with malicious software which can be removed, for a price…  NetworkWorld

“Help & Support” Exploit Used On 10,000 Systems

Nearly a month after a Google engineer (shame) irresponsibly disclosed details of a new Windows XP flaw, criminals are ramping up online attacks that leverage this bug.  Microsoft reported Wednesday that it has now logged more than 10,000 attacks.   At first it was only legitimate researchers testing proof-of-concept code.   Then on June 15th, the first real public exploits began to emerge.

“Those initial exploits were targeted and fairly limited.  In the past week, however, attacks have picked up.”  The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.   PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks.

To avoid falling victim, Microsoft advised users to turn off the part of the Help and Support system that is vulnerable. It has produced an automated tool that can do this for users.


Lessons Learned from Aurora

As Operation Aurora highlighted, advanced persistent threats (APT) are an increasingly common form of complex and directed attacks that use insidious techniques for gaining access to privileged systems and maintaining that access until all of the attackers’ goals and objectives have been met. Operation Aurora employed an APT technique that proved extremely successful in targeting, exploiting, accessing, and exfiltrating highly valuable intellectual property from its victims. This paper details Operation Aurora and provides some insight into what was learned and how to prevent such attacks from being successful in the future.

On Wednesday March 17th at 1PM EST, NetWitness and Forrester are hosting a webinar to investigate what qualifies as an APT, the latest APT methods, network forensics studies of true APT attacks on commercial and government organizations, and countermeasures to protect your enterprise and assets from these most insidious and persistent adversaries. Register