Dr Igor Muttik McAfee AVERT
download slides (PDF)
Traditionally viruses and other malware were distributed using push techniques – viruses themselves or malware authors were actively distributing copies around. With the exception of auto-executing worms this method of distribution requires user intervention – a user has to click on an email attachment (or launch a program). Users were taught for years to be very cautious about all unsolicited emails. So, in such a situation users’ defences are high and such objects are likely to be avoided or treated with caution.
The situation changes if a user himself is looking for something. Being motivated to complete what he perceives to be his own task (s)he is very likely to lower his defences. We are seeing now is that ‘the bad guys’ are attacking Internet search engines in order to distribute malicious code. We analyse and dissect a case where malicious code was distributed using this technique. We called this technique ‘index hijacking’ – a malware distribution method based on an active pull initiated by the very user.
How does the attack work? For example, a user enters something as innocent as ‘Santa Trojan’ or ‘Skipping Christmas’ into Google and is offered a bunch of links. Following most of these links would load his computer with unwanted programs and Trojans. We present the analysis of this attack.
Distribution of malware via search engines requires several prerequisites to be set up before a successful attack. Firstly, an attacker has to have a website(s) to host malware. Secondly, he has to make sure that search engines return links to his site to the users frequently enough. Thirdly, it would be best if his site(s) came up at the top of the list (high link ranking). We discuss methods used by common search engines for crawling and ranking web pages. We show on real examples how crawlers collecting stuff for Internet search engines can be manipulated.
We expect the index-hijacking technique to become more common. We discuss how armies of ‘bot zombies’ can be involved. Perhaps some day one would be able to hire a slot on a site promoted via index hijacking to push some real nasty around in no time.