HII_The_Convergence_Automated_Botnets.pdf

(1682 KB) Pobierz
August 2011
Hacker Intelligence Initiative, Monthly Trend Report #3
Hacker Intelligence Summary Report – The Convergence of Google and Bots:
Searching for Security Vulnerabilities using Automated Botnets
In this monthly report from Imperva’s Hacker Intelligence Initiative (HII), we describe
how popular search engines are used as an attack platform to retrieve sensitive
data, a.k.a. “Google Hacking”. This attack is further enhanced by deploying bots to
automate the process and to evade anti-automation detection techniques commonly
deployed by the search engine providers. Although Google Hacking has been around
– in name – for some time, some new innovations by hackers require another, closer
look. Specifically, Google, and other search engines, put in place anti-automation measures to stop hackers from search abuse.
However, by using distributed bots, hackers take advantage of bot’s dispersed nature, giving search engines the impression that
individuals are performing a routine search. The reality? Hackers are conducting cyber reconnaissance on a massive scale.
Imperva’s Application Defense Center (ADC) has followed up on a particular botnet and has witnessed its usage against a
well-known search engine provider. By tracking this botnet, they found how attackers lay out the groundwork to simplify and
automate the next stages in an attack campaign against web applications. In this report, we describe the steps that hackers
take to leverage on the power of search engines to successfully carry out their attacks to massively collect attack targets. Our
findings show that during an attack, hackers can generate more than 80,000 daily queries to probe the Web for vulnerable
Web applications. We provide essential advice to organizations on how to prepare against exploits tailored against these
vulnerabilities. We also propose potential solutions that leading search engines such as Google, Bing and Yahoo can employ in
order to address the growing problem of hackers using their platform as an attacker tool.
Our findings show that during
an attack, hackers can generate
more than
80,000
daily queries
to probe the Web for vulnerable
Web applications.
An Overview of Google Hacking
On the Internet, search engines have emerged as powerful tools in an attacker’s arsenal, providing a way to gather
information about a target and find potential vulnerabilities in an anonymous and risk-free fashion. This activity is typically
called “Google Hacking”. Although the name emphasizes the search-engine giant, it pertains to all search engine providers.
Collecting information about an organization can set the stage for hackers to devise an attack tailored for a known
application. The specialized exploitation of known vulnerabilities may lead to contaminated web sites, data theft, data
modification, or even a compromise of company servers.
Search engines can be directed to return results that are focused on specific potential targets by using a specific set of
query operators. For example, the attacker may focus on all potential victims in a specified geographic location (i.e. per
country). In this case, the query includes a
“location”
search operator. In another scenario, an attacker may want to target
all vulnerabilities in a specific web site, and achieves this by issuing different queries containing the
“site”
search operator.
These particular search queries are commonly referred to as “Google Dorks”, or simply “Dorks”.
Automating the query and result parsing enables the attacker to issue a large number of queries, examine all the returned
results and get a filtered list of potentially exploitable sites in a very short time and with minimal effort.
In order to block automated search campaigns, today’s search engines deploy detection mechanisms which are based on
the IP address of the originating request.
Hacker Intelligence Initiative, Monthly Trend Report
What’s new about this attack campaign that we witnessed? Our investigation has shown that attackers are able to overcome
these detection techniques by distributing the queries across different machines. This is achieved by employing a network
of compromised machines, better known as botnet.
Hackers also gain the secondary benefit of hiding their identity behind these bots, since it is the compromised host which
actually performs the search queries. In effect, the attacker adds a layer of indirection between herself and the automated
search queries. This makes the task of tracking back the malicious activity to the individual attacker all the more difficult.
The Hacker’s 4 Steps for an Industrialized Attack:
1.
Get a botnet.
This is usually done by renting a botnet from a bot farmer who has a global network of compromised
computers under his control.
2.
Obtain a tool for coordinated, distributed searching.
This tool is deployed to the botnet agents and it usually
contains a database of dorks.
3.
Launch a massive search campaign through the botnet.
Our observations show that there is an automated
infrastructure to control the distribution of dorks and the examination of the results between botnet parts.
4.
Craft a massive attack campaign based on search results.
With the list of potentially vulnerable resources, the
attacker can create, or use a ready-made, script to craft targeted attack vectors that attempt to exploit vulnerabilities in
pages retrieved by the search campaign. Attacks include: infecting web applications, compromising corporate data or
stealing sensitive personal information.
Detailed Analysis
Mining Search Engines for Attack Targets
Search engine mining can be used by attackers in multiple ways. Exposing neglected sensitive files and folders, collecting
network intelligence from exposed logs and detecting unprotected network attached devices are some of the perks of
having access to this huge universal index. Our report focuses on one specific usage: massively collecting attack targets.
Specially crafted search queries can be constructed to detect web resources that are potentially vulnerable. There is a
wide variety of indicators, starting from distinguishable resource names through banners of specific products and up to
specific error messages. The special search terms, commonly referred to as “Dorks”
1
, combine search terms and operators
that usually correlate the type of resource with its contents. Dorks are commonly exchanged between hackers in forums.
Comprehensive lists of dorks are also being made available through various web sites (both public and underground).
Examples include the legendary Google Hacking Database at http://johnny.ihackstuff.com/ghdb/ and the up-to-date sites
http://www.1337day.com/webapps and http://www.exploit-db.com/google-dorks/. As the latter name suggests, the site
contains an exploit database demonstrating how dorks and exploits go hand in hand.
1
http://www.danscourses.com/Network-Security+/search-engine-hacking-471.html
Report #3, August 2011
2
Hacker Intelligence Initiative, Monthly Trend Report
Figure 1: Banner from the Google Hacking Database
Figure 2: Banners from the Exploit Database
Report #3, August 2011
3
Hacker Intelligence Initiative, Monthly Trend Report
Some resources classify dorks according to platform or usage as can be seen from the screenshot below:
Figure 3: Searching dorks by class
An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an
attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are
potentially vulnerable.
Report #3, August 2011
4
Hacker Intelligence Initiative, Monthly Trend Report
For example, the following query returns results of online shopping sites containing the Oscommerce application.
Figure 4: results returned from a dork search
Report #3, August 2011
5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin