Google's PageRank helps determine a site's value, based on content and scaled from 0-10. The higher the PageRank, the higher the site appears in organic ...
Google-Hacking Goes To China
Andy Greenberg, 04.28.08, 6:40 PM ET
Google has yet to bring its U.S. success to China--only about one in five Chinese Web searches starts at the site. But lately, Google seems to have gained popularity with at least one group of Chinese Web users: some of the country's most successful cybercriminals.
Over the past several weeks, researchers have tracked a hacker exploit that's infected more than half a million pages around the Web, invisibly redirecting visitors to those pages to servers that install malicious software on their PCs. The cybercriminals' exploit uses an increasingly common method to decide which pages to infect: Google (nasdaq: GOOG - news - people ) searches that probe sites en masse for hackable weak points.
According to those who have followed the attack at the SANS Institute's Internet Storm Center, a cybersecurity crisis response organization, the infection tool is partially written in Chinese characters and compiled on a computer with Chinese language settings.
The apparently Chinese cybercriminals are using Google searches to track down sites vulnerable to so-called "SQL injections," says Jeremiah Grossman, chief technology officer of security firm Whitehat Security. By entering certain strings of text into user input boxes on Web sites, cybercriminals are able to confuse their commands with data in a site's Structured Query Language (SQL) database and gain control of it, says Grossman. "They're using Google to get their target list and automatically blasting those targets with their attack," he says.
Cybercriminals and security researchers have used search engines, including Google, for years to scour the Web for instances of outdated code open to intrusions. But this latest "Google hacking" exploit has brought the technique to another level, creating the largest-ever epidemic of compromised Web sites, including some hosted by the U.S. Department of Homeland Security, the United Nations and the British government.
For now, the majority of those infected sites are no longer a threat, says independent Bulgarian security analyst Dancho Danchev. Researchers at SANS and security firm Websense (nasdaq: WBSN - news - people ), in San Diego, notified the Chinese Internet service provider and domain registrar hosting the computers with malicious software. The Chinese companies then disconnected those computers from the Internet over the past weekend, Danchev says.
But most of those sites still remain vulnerable to SQL injection--meaning the same group of hackers or a copycat group could use similar techniques to redirect the sites' visitors to another server hosting malicious software, Danchev argues. "There's a huge, and I mean huge, percentage of legitimate sites that continue remain vulnerable to such remotely exploitable massive injections," he says.
Danchev warns that this kind of wholesale, automated infection of Web sites may be a growing tactic for cybercriminals. "Long tail" hacking, as he calls it, is more effective and more difficult to reverse than compromising a single popular destination, such as the hacking of the Miami Dolphins' Web site before last year's Super Bowl. "Infecting hundreds of thousands of sites results in enormous potential for aggregating and abusing the traffic that they receive, compared to targeting a single high-profile site," Danchev says.
In this case, the hundreds of thousands of attacked sites have something in common: They're all hosted on servers running either Microsoft's (nasdaq: MSFT - news - people ) Internet Information Services software or its SQL database software. Whitehat Security's Grossman speculates that machines running that software were targeted because they allow several commands to be injected in a single user input field on the sites they host, making those sites easier to hijack.
Microsoft's own security researcher Bill Sisk quickly leapt to the company's defense. "Our investigation has shown that there are no new or unknown vulnerabilities being exploited," he wrote in a statement on the Microsoft Security Response Center's Web site on April 25. "This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server."
In fact, Grossman agrees that the sites' vulnerabilities weren't Microsoft's fault as much as the result of sloppy Web coding on the part of the Web sites' own developers, who failed to filter user input for manipulative commands. But that means the problem is even harder to solve: Most of the hundreds of thousands of sites targeted in the attack still remain vulnerable and will likely be targeted again. "This isn't something Microsoft can patch," he says. "We're seeing one exploit today, and we'll see another tomorrow and another the day after. At any point the attack can change in a heartbeat."