Hackers are using botnets to generate more than 80,000 search queries a day, allowing them to identify potential attack targets in a very short time and with minimal effort.
According to security firm Imperva’s latest Hacker Intelligence report (pdf), special search terms known as “Dorks” are used to home in on potential attack targets. Dorks are search queries designed to return results that contain a certain code, enabling hackers to build up a list of vulnerable webpages. They are commonly exchanged between hackers in forums, such as the Google Hacking Database.
Automating queries on search engines using a botnet enables the attacker to get a filtered list of potentially exploitable sites very quickly. As searches are conducted using botnets, and not the hacker’s IP address, the attacker’s identity remains concealed.
“Hackers have become experts at using Google to create a map of hackable targets on the web,” said Imperva’s chief technology officer Amichai Shulman. “This cyber reconnaissance allows hackers to be more productive when it comes to targeting attacks which may lead to contaminated websites, data theft, data modification, or even a compromise of company servers.”
The problem with today’s search engines is that they deploy detection mechanisms which are based on the IP address of the originating request. This means that detection can easily be avoided using a botnet, which distributes the queries across different compromised machines.
Imperva recommends that search engine providers should keep an eye out for unusual suspicious queries – such as those that are known to be part of public Dorks databases, or queries that look for known sensitive files.
However, organisations also need to be aware of the risks. Due to the thorough indexing of most corporate information – including web applications – the exposure of vulnerable applications is bound to occur, warns Imperva. Businesses can protect against exploits by deploying runtime application layer security controls, such as a web application firewall or reputation-based controls.
During May and June, Imperva observed a specific botnet attack that examined dozens of returned results using paging parameters in the query. Nearly 550,000 queries were requested during the observation period. The attacker was able to take advantage of the bandwidth available to the dozens of controlled hosts in the botnet to seek and examine vulnerable applications.
Earlier this year, researchers at Kaspersky Labs discovered an ‘indestructible’ botnet controlling more than 4.5 million computers, five percent of them in the UK, which it said presented “the most sophisticated threat today”.
Meanwhile, Microsoft announced in July that the infamous Rustock botnet had been nearly halved in size and was effectively crippled, demonstrating how tech companies can coordinate with law enforcement to take down malware distributing botnets.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…