Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

New vulnerability in bots of search engines (for security bypass)
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 14 May 2010 23:32:27 +0300

Hello participants of Full-Disclosure.

Last year I already wrote about vulnerabilities in bots of search engines in
my articles URL Spoofing vulnerability in bots of search engines
(http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00047.html)
and URL Spoofing vulnerability in bots of search engines #2
(http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00056.html).
And in April I wrote about new vulnerability in bots of search engines.

Last month in article Bypassing systems for searching of viruses at web
sites (http://websecurity.com.ua/4173/) I wrote about vulnerability in bots
of search engines which have built-in antivirus protection systems (for now
there are three such search engines). This concerns all systems for
searching of viruses at web sites which have such behavior.

At beginning of April I made a testing of systems for searching of viruses
at web sites and wrote the article about it. In my article I examined
different systems for searching of viruses at web sites, as standalone, as
built-in the search engines. Last month I wrote brief description of my
article to the WASC Mailing List, but because it was not published (for
unknown reasons), I'll not be telling you anything about that research :-)
(in case if it's not corresponding with rules of the list) - who want to
know more about it can contact me by email.

So one day in April I was thinking about the subject of protecting from
viruses at web sites and I found possibility to bypass such systems.
Especially those ones which are built in search engines. Which I wrote about
in above-mentioned article. In brief the method is the next.

Bypassing systems for searching of viruses at web sites is possible with
using of cloaking. When User Agent is analyzing, and if it's search engine,
then malicious code is not shown, if it's browser - then shown. So the same
cloaking which used for SEO, can be used for malware spreading and hiding
from systems for searching of viruses at web sites. Particularly from
search engines with built-in antivirus systems, because they are using bots
of search engines with known user agents.

Note, that I saw the using of cloaking method in malicious scripts during
my researches in last years. Particularly I saw checking of referer (and
similar approach can be used for User Agent). And these method of protection
of malicious code from systems for searching of viruses creates serious
challenge for these systems.

P.S.

Recently in May, after half of month after I posted my article, I got to
know from news, that bad guys already are actively using this method (you
can hear about this news). Recently many WordPress-based sites was hacked
and infected with viruses, and the code for distributing of malware was
using a cloaking for hiding of malicious code from built-in antivirus in
search engines Google and Yahoo.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • New vulnerability in bots of search engines (for security bypass) MustLive (May 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]