Worms Using Search Engines

  2005-02-28

Worms Using Search Engines

  21:11, by Hagai Bar-El   , 357 words
Categories: IT Security

Check out this news item:

Latest Mydoom shows hackers using search engines for attacks

It's about Internet based worms making use of search engines to spread out. In the examples presented the worms search Google, Lycos, etc., for e-mail addresses and for vulnerable machines to hop to using specially-crafted search strings.

I was not aware of this trend of worms before so I agree it's new. Yet, I don't agree with any fear associated with this new brand of worms. These worms are somewhat novel in their approach. Yet, I think this approach is better for us (the good guys) rather than worse.

One of the properties that make Internet worms hard to cope with is their being distributed in nature. This means that to stop a worm you need to teach each and every platform (that matches its infection profile) of its existence by reaching it with an anti-virus or patch update before the worm does. This leads to the close chase that follows the introduction of every new worm. A worm is invented and starts spreading, content security analysts examine it and issue a patch or an anti-virus update which is spread by the distributed update mechanism. Over time more and more machines are infected while more and more machines are protected and become non-infectable. By the time the worm finds (roughly) no one new to infect it caused its damage. Now imagine there was one central server that could limit the propagation when patched. When this is the case, the worm can be stopped using that server rather than by distributing patches and hoping for them to make it on time. This is exactly what's going to happen with search engine assisted worms. As soon as the worm is discovered, a remedy will be introduced to the search engine server, so it doesn't serve the worm. As soon as this is done the worm will be strictly limited in its spreading capability to the extent that it will freeze where it is. The worm will remain distributed in nature while the fix will be centralized. This will give the "good guys" a significant advantage.

No feedback yet


Form is loading...