Full Disclosure mailing list archives
New vulnerability in bots of search engines (for security bypass)
From: "MustLive" <mustlive () websecurity com ua>
Date: Fri, 14 May 2010 23:32:27 +0300
Hello participants of Full-Disclosure. Last year I already wrote about vulnerabilities in bots of search engines in my articles URL Spoofing vulnerability in bots of search engines (http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00047.html) and URL Spoofing vulnerability in bots of search engines #2 (http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00056.html). And in April I wrote about new vulnerability in bots of search engines. Last month in article Bypassing systems for searching of viruses at web sites (http://websecurity.com.ua/4173/) I wrote about vulnerability in bots of search engines which have built-in antivirus protection systems (for now there are three such search engines). This concerns all systems for searching of viruses at web sites which have such behavior. At beginning of April I made a testing of systems for searching of viruses at web sites and wrote the article about it. In my article I examined different systems for searching of viruses at web sites, as standalone, as built-in the search engines. Last month I wrote brief description of my article to the WASC Mailing List, but because it was not published (for unknown reasons), I'll not be telling you anything about that research :-) (in case if it's not corresponding with rules of the list) - who want to know more about it can contact me by email. So one day in April I was thinking about the subject of protecting from viruses at web sites and I found possibility to bypass such systems. Especially those ones which are built in search engines. Which I wrote about in above-mentioned article. In brief the method is the next. Bypassing systems for searching of viruses at web sites is possible with using of cloaking. When User Agent is analyzing, and if it's search engine, then malicious code is not shown, if it's browser - then shown. So the same cloaking which used for SEO, can be used for malware spreading and hiding from systems for searching of viruses at web sites. Particularly from search engines with built-in antivirus systems, because they are using bots of search engines with known user agents. Note, that I saw the using of cloaking method in malicious scripts during my researches in last years. Particularly I saw checking of referer (and similar approach can be used for User Agent). And these method of protection of malicious code from systems for searching of viruses creates serious challenge for these systems. P.S. Recently in May, after half of month after I posted my article, I got to know from news, that bad guys already are actively using this method (you can hear about this news). Recently many WordPress-based sites was hacked and infected with viruses, and the code for distributing of malware was using a cloaking for hiding of malicious code from built-in antivirus in search engines Google and Yahoo. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New vulnerability in bots of search engines (for security bypass) MustLive (May 16)