Search engine vulnerabilities a major factor in proliferation of malware infections

Prevx uncovered new vulnerabilities affecting PC users trying to use Internet search engines to locate information about potential spyware. Prevx researchers discovered certain malicious spyware programs prevent users, whose computers have become infected, from using popular search engines such as Yahoo!, Google and MSN to locate a cure, enabling the spyware infections to proliferate more readily among consumers.

“If a user searches for a suspect file name on Google or Yahoo! and nothing is found, then the assumption is that the file is probably nothing to worry about,” said Prevx CEO, Mel Morris. “Such is the power of search today. Sadly, users must be more vigilant, a blank result on a top search engine is more likely to point to it being malicious.”

Prevx researchers recommend that search engine companies find better and faster ways to help security vendors expose new infections and make protection readily available to computer users.

The latest Prevx research results and recommendations are based on a sample of 250,000 malicious file names, from among the researcher’s database of more than 30 million malicious file names, which were listed by the search engines during 2006.

Malicious techniques uncovered by Prevx include:

” Using filenames to exploit hiding places inside search results, creating hundreds of millions of matches
” Using unique, customized filenames for individual groups of PCs infected
” Exploiting an average 10-day lead time before search engines present results for a new infection

Backdoor Search Vulnerability

In one example, Prevx researchers cited a file with the name “.EXE”, first identified by Prevx as part of a Backdoor.Win32.IRCBot.BV infection in July 2006. This infection creates a backdoor on an infected user’s PC allowing confidential information to be transmitted at will to the criminal author’s computer.

The search engines proved unable to cope with this filename, returning details of every filename ending with the suffix “.EXE”. Therefore, a computer user noticing this infection would have been presented with more than 176 million matches to a search for this term on Google.

A similar approach appears to have taken place during August 2005 with a malicious file simply named “.DLL”.

Some infections use literally hundreds of thousands of different, almost unique, names for each PC infected. But while these infections frequently use the same program code, the infected user has little chance of identifying the file as malicious or finding a cure via the search engines.

Prevx research also includes a detailed study of each search engines’ responsiveness to spidering (reading and parsing) new malicious file content as it emerges from online security forums, security vendor web sites and Prevx’s own malware research database.

Prevx researchers measured the elapsed time between when a large number of malicious file names associated with spyware infections during 2006 were first identified by Prevx’s community database and exposed publicly on its web site, and when those file names appeared in search results from the major search engines. Lead time among the popular search engines varied significantly from 2 – 15 days.

One search engine technology that stood out during this research was Google’s Beta Site Map Index project. Prevx researchers believe this technology has huge potential. But the volume and speed of new content which the Prevx research database exposes on a daily basis significantly out-strips Google’s rate of spidering site mapped content, even on its fast setting. The Prevx database learns of more than 200,000 new executable programs and as many new files names every day. Frequently, 5 percent or more of these are associated with new or established infections.

However, modern internet self replicating worms such as Trojan.URDVXC can generate as much as 1,000 randomly named files on an infected user’s PC within a matter of seconds. The Prevx database logged 350,000 new file names for this infection within the first 24 hours of its sighting. A sample of these can be viewed over here. This infection is still in the wild and users may only realize they have become infected when they spot one of the strangely named files on their PC.

Additional evidence of malware writers’ ability to rapidly scale, even for brand new spyware infections, was apparent during the new study.

In 2006, the spyware program known as SpywareQuake reached 400 users per million computer users within three weeks and remained highly active for four months. This program, which masquerades as an antispyware solution, reports fake infections and then offers to clean these for a fee, typically around $40.

Eventually, the infection was reigned in by many security products. However, its creators quickly reincarnated the malware, this time as VirusBurst, which went from zero to 400 users per million within 48 hours. In comparison the search engines move at a much slower pace. The inability of users to quickly locate the necessary search results was a key factor in the proliferation of these infections.