Botnets have been taking down web sites for years by overwhelming sites with too much traffic. But now the swarms of compromised computers are being unleashed for the first time on an old kind of vulnerability: Google Dorks.

Google Dorks have been around for a while, as the name for an attack where hackers scan web sites, using commonly used links within company networks, to see if there are any unsecure links that can be used to break into a company’s web site. A report being released today by Imperva warns that the combination of the highly automated botnets and the Google Dorks are a new vector for hackers to break into companies on a massive scale.

Hackers sometimes manually scan sites for such stray links, but that’s like looking for a needle in the haystack. They have now figured out how to automate their scanning. They do so by getting botnets, or farms of compromised computers that have been hijacked without the owners’ knowledge. These botnets are used to automatically search through a series of links that may be related to a company’s web site. They use the botnets and Google Dorks to uncover weaknesses, and then they launch conventional hacking attacks against them. The result of these attacks can be contaminated web sites, data theft, data modification, or compromised company servers.

The hackers can efficiently use popular search engines as an attack platform to retrieve sensitive data. Botnets automate the process and can evade anti-automation detection techniques commonly deployed by the search engine providers. By using bots that are distributed throughout the world, the hackers fool the search engines into thinking that the searching is being done by real human individuals, not a herd of bots controlled by a hacker.

“This is what the hackers do to conduct cyber reconnaissance,” said Rob Rachwald, a senior security strategist at security firm Imperva, in an interview. “This used to be a manual process, but now it’s automated.”

With the automation, attackers can get a filtered list of potentially vulnerable web sites in a very short time. Mining search results can expose neglected sensitive files and folders, and unearth network logs and unprotected network-attached devices.

With botnets, the hackers can run 80,000 queries in a day, eluding detection and efficiently fishing for attack targets. Imperva’s Application Defense Center observed a particular botnet in action during the May-June time frame and witnessed its use against a well-known search engine provider. By tracking this botnet, Imperva found how attackers lay the groundwork to simplify and automate the next stages in an attack campaign against web apps.

“We found out because we were observing,” Rachwald said.

Today, search engines detect automated search routines by detecting the searcher’s internet protocol, or IP, address. If the same address is used over and over again for slightly different searches, the search engines block it. But botnets consist of computers scattered around the world, all using different IP addresses. Hackers can hide their identities behind these botnets, which are available on the underground for rental.

The botnets can be used with a distributed search tool to find distinguishable resource names and specific error messages that say more than they should. Dorks are often exchanged between hackers in forums. Some of the lists of Dorks are posted on various web sites. Dorks and exploits go hand in hand.

In the attack that Imperva observed, the attackers used dorks that match vulnerable web applications and search operators that were tailored to a specific search engine. For each unique search query, the botnet examined hundreds of returned results. Full told, the number of queries topped 550,000 queries, including one day with 81,000 queries — all via single botnet.

The attackers targeted e-commerce sites and content management systems. The more success they had, the more the attackers refined their search terms. Imperva saw 4,719 different variations of dorks used in the attacks.

Fortunately, there are some solutions that Google, Bing and Yahoo can use to protect against these attacks. Search engines are in a unique position to identify botnets that abuse their services and can thus find out more about the attackers. The search engines can identify unusual queries such as those that contain terms from publicly available Dork databases, or queries that look for sensitive files. By doing so, search engines can come up with more blacklisted IP addresses. Google can force some searchers to fill out a CAPTCHA form, (where you look at handwritten characters and type the word that you see), to prove they are human searchers.

Rachwald said that web site creators should attack themselves using common Dork search terms and find out if they are vulnerable. They should also mask their links so that they are harder to guess.Web application firewalls should be able to detect and block attempts at finding application vulnerabilities. The web sites can also use reputation controls to block attacks coming from known malicious sources.

Hackers launched cyber attacks on a number of government websites starting at 6 p.m. Thursday, but failed initially to bring some of the websites to their knees because of enhanced security protection.

Anonymous, an online international group of self-described anarchist hackers, targeted websites related to the Telecommunications Directorate (TÄ°B). The hackers, who tried to block access to the websites belonging to TÄ°B, failed to achieve their goals until 9 p.m.

With an election three days away, access to Turkey’s telecoms authority website, identified as a main target in the protest against the planned new Internet filtering system, was blocked.

While authorities worked to limit the disruption, other sites were also blocked including those related to social security, meteorology and several telecoms-related sites.

One of these was the official site where people can report inappropriate Internet content.

Anonymous threatened to attack Turkish government websites around two weeks before Aug. 22, the date when a new filtering system the Turkish government unveiled in May is to enter into force.

The codename of the cyber attacks was “operationturkey” and the first website to become a target was “www.tib.gov.tr,” TÄ°B’s official website. The hackers also attacked the websites of other units operating under TÄ°B, including the Internet Information Report Center (www.ihbar.org.tr), www.guvenliweb.org.tr and www.guvenlicocuk.org.tr. The attacks were characterized as distributed denial of service (DDoS) attacks.

They then targeted websites of a number of public institutions and political parties.

Anonymous’ cyber attacks were continuing as of Friday.

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.

Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.

Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic.

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online’s difficulties are a part of wider problems in virtual worlds.

“Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load,” Boyd told El Reg. “That’s before you get to the problems creating by phishing, hacking and scamming established and profitable accounts.”

Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.

“The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS’ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions.”

Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. “Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past,” explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

Anti-zombie PC systems hit the market one after another in the wake of the DDoS (distributed denial of service) attack earlier in March this year and the recent NACF (National Agricultural Cooperative Federation) network breakdown caused by a laptop infected by a zombie PC.

Wins Technet, Piolink and NP Core are about to enter into the market soon with their CC (Common Criteria) certifications, a qualification to supply anti-malignant bot solutions to the local public-sector market.
Wins Technet has recently released the Sniper BPS, which not only detects and blocks a PC infected with a malicious bot from accessing networks but also analyzes malicious codes to treat affected computers. It has already won the CC mark and is getting ready to win over public-sector customers after June.
Piolink has also launched a similar product, dubbed TiFRONT-AntiBot, and has supplied it to the National Computing & Information Agency, the Korea Internet & Security Agency and major companies in the industry. The solution senses botnets trying to access networks in advance and analyzes them, directing the L2 security switch to shut them off. Saint Security, a local bot detection firm, participated in the development of the product and added to its detection accuracy.
In the meantime, foreign companies like Trend Micro, Symantec and FireEye are preparing themselves to land on the local malware detection software market, too. As such, it is likely that the domestic and foreign solution developers will be engaged in a neck-and-neck competition down the road.

According to a new case study published by the Internet Security Awareness Training (ISAT) firm KnowBe4, a telephony denial-of-service (TDoS) attack against a semi-retired St. Augustine dentist served as a smokescreen for a nearly $400,000 cyberheist.

In November 2009, Robert Thousand Jr. began receiving a flood of calls to his business, home and mobile phone lines. The calls consisted of a 30-second recorded message from a sex hotline. What appeared to be a phone service issue turned out to be far more sinister. The following month, Thousand discovered that five transfers totaling $399,000 had been made from his TD Ameritrade retirement account. When the FBI investigated his case, it became apparent that the TDoS attack was intended to prevent Thousand’s broker from reaching him while the criminals committed their cyberheist.

TDoS is a form of denial-of-service (DoS) attack. When the calls come from multiple sources, it is known as a distributed denial-of-service (DDoS) attack. The high volume of automated calls prevents victims from making or receiving legitimate calls, thereby denying them use of their phone service. In Thousand’s case, the cybercriminals set up a number of VoIP accounts and used automated dialing to inundate his phone lines. While that was happening, they initiated the transfers that drained his retirement account.

Thousand was not the only victim to be targeted in such a manner. Others reported similar telephony DoS attacks in the months that followed. In 2010, the Communication Fraud Control Association (CFCA) and the FBI formed a partnership to identify TDoS patterns and trends, prevent DoS attacks, raise Internet security awareness and catch those who conduct cyberheists. Despite these efforts, unsuspecting members of the public can still fall prey to increasingly sophisticated cybercrime tactics.

“The problem is larger than the issue of telephony denial of service alone,” explained KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”). “Before the cybercriminals launched their TDoS attack, they found a way to obtain Dr. Thousand’s Ameritrade account information and password. Victims in these cases are often targeted through phishing attempts or by clicking an innocuous-looking email link that downloads malware to their system. In this manner, criminals are able to capture account details, passwords and other personal information. Once they have access to an account, they can then change the contact numbers and impersonate the victim when communicating with the bank or broker.”

Sjouwerman advises those on the receiving end of a telephony DoS attack to immediately contact all financial institutions where they hold accounts and request a halt to any transfer requests, and then report the suspected cybercrime to the authorities. The sooner victims act, the better chance they have of preventing or minimizing potential losses. However, Sjouwerman emphasizes that Internet security awareness is critical in order for targets to prevent a cybercriminal from obtaining their account information in the first place.

“As awareness of phishing tactics increases, people are becoming more wary of emails from unknown senders. However, cybercriminals have become much more sophisticated in their practices. They are able to convincingly make it appear as if an email is being sent by a bank, government institution or trusted friend or colleague,” noted Sjouwerman. “All it takes is a single click to unwittingly give intruders access to a computer. They can then view all of the personal information contained within, as well as any transactions conducted online.”

While individuals must take responsibility for their own Internet activity and data security, Sjouwerman stressed that businesses need to implement proactive measures to minimize their employees’ vulnerability to phishing tactics. “In many cases, data security breaches that occur from within a company are not the result of any employee’s malicious intent, but rather an honest mistake made by someone who happened to be susceptible to phishing. That’s why Internet security awareness training is so important. It helps personnel identify and avoid potential phishing attempts that can expose the company to financial loss and intellectual property theft.”