Search Worms
Niels Provos
Google
Abstract
Worms are becoming more virulent at the same time as operating system
improvements try to contain them. Recent research demonstrates
several effective methods to detect and prevent randomly scanning
worms from spreading. As a result,
worm authors are looking for new ways to acquire vulnerable targets
without relying on randomly scanning for them. It is often possible
to find vulnerable web servers by sending carefully crafted queries to
search engines. Search worms automate this approach and spread by
using popular search engines to find new attack vectors. These worms
not only put significant load on search engines, they also evade
detection mechanisms that assume random scanning. From the point of
view of a search engine, signatures against search queries are only a
temporary measure as many different search queries lead to the same
results. In this talk, we present our experience with search worms
and a framework that allows search engines to quickly detect new worms
and take automatic countermeasures. We argue that signature-based
filtering of search queries is ill-suited for protecting against
search worms and show how we prevent worm propagation without relying
on query signatures. We illustrate our approach with measurements and
numeric simulations.