Could search sites spawn worms?

Worm attacks are bad enough by themselves, but some experts warn of an even more devastating variation: one that strikes at the application level instead of targeting network infrastructure, and spreads to Web sites through Web-based search engines.

Essentially, a smart worm could crawl into the data gathered by a search engine to identify the most vulnerable sites and target them, say some security experts and analysts.

List of victims

"Search engines basically crawl Web sites and all their links, and categorize them," says Shlomo Kramer, CEO and president of Imperva Inc., a Web application security company. Among the ways search site "bots" categorize sites is by their vulnerability.

"These vulnerabilities are indexed and saved in a very organized way, and are available for anybody to access," Kramer says.

A worm could contain code to seek out those particular search engine lists. It wouldn't have to scan thousands, or tens of thousands, of pages to find its next target, Kramer says. The worm could just check the search engine's list of vulnerable sites, because every site on that list would be a good target.

Such lists are compiled by Google Inc., Yahoo Inc., and other leading search sites, Kramer says, and analysts agree that danger of their exploitation exists.

"The real difference that search engines bring is a new way that worms can find vulnerable systems," says John Pescatore, vice president for Internet security at Gartner Inc. "(Worms like) Code Red and Nimda just started pounding on the Internet, and you had time to react. The search engine attack is quieter, so worms can get further along without people noticing."

Access to a storehouse of such information could definitely speed up a worm, agrees Rob Enderle, principle analyst with The Enderle Group.

"The end result would be a much faster virus, one where the vulnerable sites (are) hit in the first wave, (the virus) creating massive damage long before the IT organization or virus protection companies can react," Enderle says. "Any place that aggregates information that could be used like this and then shares it would be an ideal place to start if you wanted to hit a lot of exposed sites at once."

No comment from sites

Representatives of the major search engines did not want to comment on this technology or the likelihood that a worm could exploit information in this way.

Yahoo representatives declined to comment. A Google representative said, "Because of restrictions due to its quiet period, Google is unable to comment on this issue." However, a Google comment for this story was sought prior to the company's filing its intent for an initial public stock offering, and the company's response did not come until after its quiet period had begun.

Enderle suggests that most of the leading search sites maintain security of such information.

"The major engines are relatively secure, primarily to keep folks from hacking the sites," he says. "However, this data may be exposed to third-party applications and clients." He suspects that might be where security could be compromised and the information retrieved by a smart worm.

Slow starter, fast traveler

Fortunately, it would take a hacker with some serious coding knowledge to create a worm of this type.

"It requires more knowledge than the script kiddies have," Imperva's Kramer says, speaking of the inexperienced hackers who copy others' code rather than write their own. "But with a worm, a single person could anonymously attack many, many sites."

And unlike denial-of-service attacks that target specific sites, usually high-profile companies, these application-level attacks could target anyone, Kramer adds.

"You don't need to be a well-known company or bank to be attacked. The worms will go after anyone with an exposed application," he says.

While no such worms are yet known to be wriggling across the Net, plenty of application-level attacks have been performed manually.

"We recently did a penetration study on an online banking system. After 3 hours, we were able to transfer any amount of funds we wanted," Kramer says of a recent project for a client. "When we showed the company the results, we really had to convince them, because no alarms went off."

How to protect your site

The good news is that companies, in particular, can take several easy steps to keep their Web sites safe.

"Make sure that search engines don't index parts of your site that you don't want them to index," Gartner's Pescatore says. "There are different protocols that can keep the Googles of the world from going places you don't want them to go. It's a matter of good hygiene."

You can check search engines to find out what information they have about your company's site, too.

"It's good to know if there's anything embarrassing or dangerous on a search engine," Pescatore adds.

Also, some corporate firewall programs afford additional protection. Some are host-based, but others can run on your business network.

"Network-based products from companies like Imperva, Tipping Point (Technologies Inc.), Network Associates (Inc.), and others block access to the vulnerability," Pescatore says. "You don't need to see the attack first, you just need knowledge of the vulnerability. The host-based approaches block any worms from getting to your host, but you have to put (the program) on every single host."

Any product that blocks worms will work against application-level worms, however. "If you block access to the vulnerability, you block every form of attack, whether it found the vulnerability through a search engine, or (whether) it's just a 14-year-old kid trying to get in," he says.