lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003601caf3a4$a6a7c780$010000c0@ml>
Date: Fri, 14 May 2010 23:32:27 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: New vulnerability in bots of search engines (for
	security bypass)

Hello participants of Full-Disclosure.

Last year I already wrote about vulnerabilities in bots of search engines in
my articles URL Spoofing vulnerability in bots of search engines
(http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00047.html)
and URL Spoofing vulnerability in bots of search engines #2
(http://www.webappsec.org/lists/websecurity/archive/2009-04/msg00056.html).
And in April I wrote about new vulnerability in bots of search engines.

Last month in article Bypassing systems for searching of viruses at web
sites (http://websecurity.com.ua/4173/) I wrote about vulnerability in bots
of search engines which have built-in antivirus protection systems (for now
there are three such search engines). This concerns all systems for
searching of viruses at web sites which have such behavior.

At beginning of April I made a testing of systems for searching of viruses
at web sites and wrote the article about it. In my article I examined
different systems for searching of viruses at web sites, as standalone, as
built-in the search engines. Last month I wrote brief description of my
article to the WASC Mailing List, but because it was not published (for
unknown reasons), I'll not be telling you anything about that research :-)
(in case if it's not corresponding with rules of the list) - who want to
know more about it can contact me by email.

So one day in April I was thinking about the subject of protecting from
viruses at web sites and I found possibility to bypass such systems.
Especially those ones which are built in search engines. Which I wrote about
in above-mentioned article. In brief the method is the next.

Bypassing systems for searching of viruses at web sites is possible with
using of cloaking. When User Agent is analyzing, and if it's search engine,
then malicious code is not shown, if it's browser - then shown. So the same
cloaking which used for SEO, can be used for malware spreading and hiding
from systems for searching of viruses at web sites. Particularly from
search engines with built-in antivirus systems, because they are using bots
of search engines with known user agents.

Note, that I saw the using of cloaking method in malicious scripts during
my researches in last years. Particularly I saw checking of referer (and
similar approach can be used for User Agent). And these method of protection
of malicious code from systems for searching of viruses creates serious
challenge for these systems.

P.S.

Recently in May, after half of month after I posted my article, I got to
know from news, that bad guys already are actively using this method (you
can hear about this news). Recently many WordPress-based sites was hacked
and infected with viruses, and the code for distributing of malware was
using a cloaking for hiding of malicious code from built-in antivirus in
search engines Google and Yahoo.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ