Hackers are using botnets and specially crafted search queries called “Dorks” to identify vulnerable websites
Hackers are using botnets to generate more than 80,000 search queries a day, allowing them to identify potential attack targets in a very short time and with minimal effort.
According to security firm Imperva’s latest Hacker Intelligence report (pdf), special search terms known as “Dorks” are used to home in on potential attack targets. Dorks are search queries designed to return results that contain a certain code, enabling hackers to build up a list of vulnerable webpages. They are commonly exchanged between hackers in forums, such as the Google Hacking Database.
Automating queries on search engines using a botnet enables the attacker to get a filtered list of potentially exploitable sites very quickly. As searches are conducted using botnets, and not the hacker’s IP address, the attacker’s identity remains concealed.
“Hackers have become experts at using Google to create a map of hackable targets on the web,” said Imperva’s chief technology officer Amichai Shulman. “This cyber reconnaissance allows hackers to be more productive when it comes to targeting attacks which may lead to contaminated websites, data theft, data modification, or even a compromise of company servers.”
Using botnets to avoid detection
The problem with today’s search engines is that they deploy detection mechanisms which are based on the IP address of the originating request. This means that detection can easily be avoided using a botnet, which distributes the queries across different compromised machines.
Having created a list of potentially vulnerable resources, the attacker can launch a targeted attack designed to exploit vulnerabilities in pages retrieved by the search campaign. Such attacks might include infecting web applications, compromising corporate data or stealing sensitive personal information.
Imperva recommends that search engine providers should keep an eye out for unusual suspicious queries – such as those that are known to be part of public Dorks databases, or queries that look for known sensitive files.
However, organisations also need to be aware of the risks. Due to the thorough indexing of most corporate information – including web applications – the exposure of vulnerable applications is bound to occur, warns Imperva. Businesses can protect against exploits by deploying runtime application layer security controls, such as a web application firewall or reputation-based controls.
During May and June, Imperva observed a specific botnet attack that examined dozens of returned results using paging parameters in the query. Nearly 550,000 queries were requested during the observation period. The attacker was able to take advantage of the bandwidth available to the dozens of controlled hosts in the botnet to seek and examine vulnerable applications.
Earlier this year, researchers at Kaspersky Labs discovered an ‘indestructible’ botnet controlling more than 4.5 million computers, five percent of them in the UK, which it said presented “the most sophisticated threat today”.
Meanwhile, Microsoft announced in July that the infamous Rustock botnet had been nearly halved in size and was effectively crippled, demonstrating how tech companies can coordinate with law enforcement to take down malware distributing botnets.