Worms turn on Google to hunt for victims

The latest 'Google hack' uses the search tool for automated vulnerability detection

Malware authors are increasingly creating digital pests that use Google to find their next victim.

Using the search tool for automated vulnerability detection is the latest trend in a technique known as 'Google hacking'.

George Kurtz, senior vice president for risk management at security firm McAfee, told vnunet.com about the phenomenon after a presentation at the RSA Conference in San José.

The Santy.a worm, for instance, targeted a known vulnerability in some versions of the phpBB open source bulletin board application to deface websites. It found its victims through an automated Google search query.

Google eventually stopped the worm from spreading by blocking all searches that would turn up servers running the application. But the search engine is able to detect the abuse only if the queries stand out from other searches.

Google 'hacking' does not mean breaking into the company's servers but involves online criminals using Google and other search engines to find sensitive information on the internet.

Hackers have used search engines to assist in break-ins ever since the creation of online search.

During a series of demonstrations, Kurtz showed how fairly straightforward queries will bring up user names and passwords as well sensitive information such as social security numbers.

Some users, for instance, will put log files for vulnerability scans on their websites. The report is an open invitation for online criminals to exploit those vulnerabilities.

"Could you automate this any more? The bar to break into these systems is so low now, that any monkey that punches this code into Google can get this information back," Kurtz noted.

"You almost get bored finding all these password files. It used to be fun in the old days when you found a password file. Now you just go to Google and find thousands of them."

Users should adopt policies regulating the information they put up on their websites and periodically audit their systems using tools such as GooScan or Site Digger, a free tool from McAfee subsidiary Foundstone. 

Google is not to blame for the information disclosure, Kurtz argued, but is merely providing the tools. He used the analogy of a gun maker providing a weapon but not pulling the trigger.

Pictures and screenshots of the 'Google hacks' are posted on Silicon Valley Sleuth.