Malicious hackers spend quite a bit of time gaming the Internet search engines in a bid to have their malware-laden sites turn up on the first page of search results for hot, trending news topics. Increasingly, though, computer criminals also are taking steps to block search engines bots from indexing legitimate Web pages that have been hacked and booby-trapped with hostile code.
Search giants Yahoo! and Google each have automated programs that crawl millions of Web sites each week in search of those hosting malicious code. When the search providers find these sites, they typically append a warning to the hacked Web site’s listing in search results, alerting the would-be visitor that the site could be dangerous. These warnings not only result in fewer people visiting infected sites, but they have a tendency to alert a listed site’s owners to a malware problem that needs attention.
This is all well and good for you and me, but not so wonderful for the bad guys. Unless, of course, said bad guys have planned ahead, by inserting code in their hacked sites that hands out malicious code to everyone except the automated anti-malware bots deployed by the top search providers.
Which is precisely what security expert David Dede found earlier this month while analyzing some Web-based malware.
Denis Sinegubko, a Russian researcher with the blog UnmaskParasites.com, recently has documented at least two examples of malware stitched into blogs that will modify the host site to hide malicious redirects from Google’s search bots.
“And the fact that I can see many such blogs in Google search results without any warnings shows that this simple trick does its job,” Sinegubko wrote.
Google’s search experts say they’re aware of and constantly counteracting these types of obfuscation techniques.
Niels Provos, principal software engineer at Google, said cyber crooks frequently try to play both sides, by attempting to block search bots from finding malware stitched into hacked sites, while simultaneously gaming the search engine bots.
“This has been going on for some time. What happens is if a Web crawler comes along, [the attackers will configure the hacked site so that it] ends up showing [trending content] they get from news sites,” Provos said. “This is to game the ranking of search content. But then if the visitor comes to one of these sites via a search engine, he ends up getting exploit code.”
Provos declined to discuss the specific steps Google takes to combat these tactics, noting that the fight with these Web site hackers is a constant arms race.
“Often these are just aimed at making it more difficult for someone from the outside investigating this kind of thing to find the bad code,” Provos said. “In any case, we have to make adjustments from time to time, but we work around them.”