14 DAY TRIAL // A new piece of malware called Downloader.Sninfs, which uses Twitter and various pastebin services to issue updates to its botnet, has been recently discovered. Security experts now warn that Google's search engine could be abused in a similar manner to make a botnet more resilient to takedown efforts.
Botnets play a big role in today's underground economy and malware landscape. As a Kaspersky security researcher recently detailed in a study, these armies of zombie computers are very flexible and can be used to perform a vast array of illegal activities such as DDoS, spam, adware distribution, click fraud, e-mail harvesting and others, racking hundreds of millions of dollars in profits for their owners.
Maintaining botnets requires issuing constant updates to the compromised computers comprising them. Cybercrooks are constantly looking for ways to make these update mechanisms more resilient to the takedown efforts of security experts.
Over the years, the botnet architecture has evolved from receiving updates from a single command and control server to exchanging files between the clients themselves by implementing peer-to-peer technology. New methods, such as fast-flux domain hosting or hosting the C&C servers with ISPs that do not properly respond to abuse complaints, have made it increasingly harder for security researchers to track down and incapacitate these threats.
In this context, the prospect of botnet operators using Google to further cripple the ability of the community to fight back is scary. "With Twitter, it was easy to shut down one account. How do you shut down Google?" asks Vaclav Vincalek, president of Pacific Coast Information Systems (PCIS), and the expert who detailed this new approach.
According to Vincalek's explanation for Network World, the method is rather straightforward and does not require a great deal of technical knowledge. First, an attacker would need to compromise a few websites through persistent XSS or SQL injection, two very common web-attack techniques. After injecting the rogue update code into the pages, their metadata could be altered so that they appear in search results for a very uncommon string of keywords.
The botnet clients can then be programmed so that they search Google for those keywords and get the update code from pages returned as search results. "If the botnet starts using Google for special keywords and finds the code and executes, you can start using Google as the transmission of the code or instructions to these botnets," the researcher noted, adding that he was not aware of this method being currently used in the wild.