HT1 204 pdf

Chris Larsen

Malware Research Team Lead Blue Coat Systems

@bc_malware_guy

www.bluecoat.com/security [email protected]

Why is Search Engine

Outline

ƒ Big Picture

ƒ Definitions & Background

ƒ The Way Things Were

ƒ The Way Things Are

ƒ Details

ƒ Modern SEP Tactics

ƒ Defensive Strategies

SEP: Big Picture

Quick Definitions

ƒ Search Engine Optimization (SEO):

ƒ Optimizing a site to get high-ranking pages

ƒ White Hat SEO: acceptable

ƒ Gray Hat SEO: shady/unacceptable (think .co.cc)

ƒ Black Hat SEO: malware or hacked-site angle

ƒ Search Engine Poisoning (SEP):

Quick Definitions

Quick Definitions

Quick Definitions

Bait:

The content “seen” by the search engine.

Hook:

Background: Why SEP Strategies Work

ƒ Tons of traffic == lots of potential victims

ƒ Users are in “explore mode”

ƒ Element of trust

ƒ Built-in “hackability”:

ƒ Search Engines let you “inject” pages

ƒ (this version can be totally safe)

ƒ Then “serve” those pages back to users as URLs

ƒ (this version can have any payload)

SEP: Big Picture

“Old Days”: Easy to Find SEP Attacks

ƒ Google research paper* (2008):

ƒ “approx. 1.3% of the incoming search queries… returned at least one [malicious] URL”

ƒ Large scale:

ƒ Lots of link-farms == wide coverage & high score

ƒ Very active

ƒ Also easy to find “dangerous searches”

ƒ This was actually an informal game on our team…

ƒ Pre-Black Friday cyber-shopping…

ƒ Me: mention blog; Wife: “What does malware look like?”

ƒ “black friday flat screen tv”

ƒ 1 SEP link:

SEP Example: Black Friday 2009

ƒ “black friday zhu zhu pets”

Early “Dangerosity” Research (2009)

Sample 

Queries

Google Bing Yahoo Baidu

Safe, hobby  type query

1 5 2 6

Adult escort  query

2 4 8 10

Non‐English  porn query

10 10 10 3 (out of 3)

ƒ Tally count of malicious/suspicious links in Top 10 search results…

ƒ …for different types of queries…

ƒ …in different search engines.

SEP Timeline: 2010-2011

ƒ Ad hoc “SEP hunting” getting harder:

ƒ Winter Olympics: took 6 tries

ƒ Thanksgiving: no luck; trace back from Fake AV

ƒ (lots of link-farms on hacked sites)

ƒ Japan Disasters: ditto

ƒ (btw, where did the blogs go? de-emphasized?)

ƒ Rise of Image SEP

ƒ Harder for SE’s to detect algorithmically…

ƒ Dynamically generated pages

The Rise of Image SEP

a hard problem

ƒ Text-processing

algorithms don’t help

ƒ E.g., may need

cultural knowledge:

ƒ (one of the four SEP images doesn’t “fit”)

ƒ (hiphop vs. anime)

ƒ …

ƒ Summary: Yes, new worries, but still, visible progress…

SEP: Big Picture

Summer 2011: The Mid-year Report

ƒ Wake-up Call: SEP is the #1 attack vector

Winter 2011: The Annual Report

ƒ And that hasn’t changed:

Background: Calculating Attack Vectors

ƒ Start at the pointy end…

ƒ …trace back to see where victim came from…

ƒ …and back again, until you hit a “trusted” site

ƒ These are starting points (Bing, Gmail, Facebook…)

ƒ Then tally up the starting points

SEP: Details

Modern SEP Tactics

Goog Bing Baidu Yandex G‐HK G‐Ru K9

Windows 7 ultimate download

1* 0* 0* 0* 2* 0* 0*

panera bread prices

0 ~1 2 ~1 ~1 ~1 ~1

Mario brothers pumpkin stencils

1 0 9 5 2 0 0

[porn star name]

1 1* 0 3 0 1  0

sheneneh jenkins for halloween

1 1 0 0 2 1 0

funny curling team names

4 3 6 10 5 5 1

air force tax advisor policy letter

2 3 2 8 4 2 0

halimbawa ng batutian

8 9 9 5 7 7 8

“Dangerosity” Research, Phase 1

ƒ Bing/Yahoo have caught up with Google

ƒ Baidu & Yandex haven’t

ƒ (still fooled by “old school” SEP)

ƒ Google .hk/.ru slightly worse than .com

ƒ (seems true across the board for non-English SE’s)

ƒ Non-English content harder to catch

ƒ “Shady content” searches not so different

ƒ (similar SEP link counts to “normal content” searches)

ƒ SEP sites: DynDNS, hacked, dedicated

SEP: Details

Modern SEP Tactics

“Dangerosity” Research, Phase 2

ƒ As we auto-trace malnet traffic…

ƒ …and hit a Search Engine…

ƒ …try to parse (and log) the search terms

ƒ 2300+ search term sets collected (~5 weeks)

Proxy , 

Un‐

blocker

Porn Non‐

English Celeb Video Stream Specific Site Specific 

App / 

SW

Holiday Misc

2.0% 11.2% 18.1% 2.7% 3.5% 9.5% 5.8% 5.3% 42.0%

ƒ Most SEP-infected searches were “Misc”

ƒ Lots of non-English searches

ƒ Many “specific site” searches are for videos

ƒ Many “specific app” searches looking for warez

ƒ Proxy/unblocker searches mostly M-F

Proxy , 

Un‐

blocker

Porn Non‐

English Celeb Video Stream Specific Site Specific 

App / 

SW

Holiday Misc

2.0% 11.2% 18.1% 2.7% 3.5% 9.5% 5.8% 5.3% 42.0%

Phase 2 Observations

ƒ Many “theme” searches from specialty link-farms

ƒ Mulligan categories (if I did this again):

ƒ “Health/Medical”

ƒ “Sample Letters”

ƒ Celebrity searches were interesting…

Proxy , 

Un‐

blocker

Porn Non‐

English Celeb Video Stream Specific Site Specific 

App / 

SW

Holiday Misc

Phase 2 Observations (cont.)

ƒ Celebrity searches just 2.7% ????

ƒ Again: we’re not looking at “% of all searches”

ƒ …we’re looking at % of “Searches that led to an SEP click”, where search was for celeb names

ƒ Most “celeb” searches were not “A-list” stars

ƒ I had to google many of them

ƒ A-list celeb names were usually Porn searches

Non-SEP Example: “Shiantology”

ƒ ___ announced a new celeb SEP attack

ƒ (oh no! hacked fan site!)

ƒ But the site is on Page 5…

ƒ Will anyone actually see it and click???

ƒ Not many (at least of our 75M+ users)

ƒ Nearly all traffic not from search engines

ƒ (A few image searches, but mostly Twitter links)

ƒ (non-junk fan site this deep shows SEO competition)

ƒ SEP involves poisoning the search engines

SEP: Details

Modern SEP Tactics

“Dangerosity” Research, Phase 2.1

ƒ Auto-detect SEP type (text vs. image)

ƒ Image SEP ratio:

ƒ 332 / 6834 = 4.86%

ƒ (lower than I expected – sky isn’t falling)

ƒ Image SEP notes:

ƒ Lower ratio of non-English: 10.5% (vs. 18.1%)

ƒ Higher ratio of porn-ish: 14.8% (vs. 11.2%)

Observations on Image SEP

ƒ Text searches only show Top 10 on page 1…

ƒ …few people go deep

ƒ Image searches show Top 24-30 on page 1…

ƒ …but hundreds altogether (easy to scroll)

ƒ Easier to sneak one in that people will see

SEP: Details

Modern SEP Tactics

“Dangerosity” Research, Phase 2.2

ƒ What about “Big Event” SEP?

ƒ Folks love to hype the danger. Is it Truth? or Tabloid?

ƒ Choose a couple of noteworthy events

ƒ Death of Steve Jobs (Oct 5th)

ƒ Costa Concordia sinking (Jan 13th)

“Big Event” SEP, Test #1

ƒ For Mr. Jobs:

ƒ 9598 “SEP search term sets” logged…

ƒ 3 were about him

ƒ Specific: e.g., “steve jobs boat”

ƒ Or “harmony-seeking idealist jobs”

– (arguably just 2 hits…)

“Big Event” SEP, Test #2

ƒ For Costa Concordia wreck:

ƒ 12,888 “SEP search term sets” logged…

ƒ 3 “costa” searches

ƒ (note that “costa rica” had just as many)

ƒ 9 “cruise” searches

ƒ (including “pictures cruise ship cabins”)

“Big Event” SEP Summary

ƒ Lots of competition for the top slots

ƒ Maybe if you specifically look for SEP links…

ƒ …and go beyond first page…

ƒ …you can find “SEP attacks”

ƒ But focus on # of people who clicked one…

SEP: Defensive Strategies

SEP Defense: Three Strategies

ƒ

User Education

ƒ

Web Filtering & Log Checking

SEP Defense: User Education

ƒ Raise general awareness

ƒ Google & Bing have safe "preview" feature

ƒ Scan for obvious text problems

ƒ (SEs could help users do this by including bigger chunks!)

ƒ Do basic domain analysis

ƒ Junk name? Relevant name?)

SEP Defense: Filtering & Log Reporting

ƒ Stuff to block (and check logs for):

ƒ Porn/Adult

ƒ Hacking/Warez

ƒ Scam/Questionable/Illegal

SEP Defense: Secure YOUR Sites

ƒ Don’t become part of the problem!

ƒ SEP gangs love to use hacked sites

ƒ No domains to register

ƒ Use your bandwidth/space

ƒ Use your “Google Juice” to score higher

ƒ (e.g., .gov, .edu have value)

ƒ Known/trusted == harder to filter

Chris Larsen

Malware Research Team Lead Blue Coat Systems

@bc_malware_guy

[email protected] www.bluecoat.com/security

Why is Search Engine

Poisoning Still the