A new piece of malware called Downloader.Sninfs, which uses Twitter and various pastebin services to issue updates to its botnet, has been recently discovered. Security experts now warn that Google's search engine could be abused in a similar manner to make a botnet more resilient to takedown efforts.
Botnets play a big role in today's underground economy and malware landscape. As a Kaspersky security researcher recently detailed in a study, these armies of zombie computers are very flexible and can be used to perform a vast array of illegal activities such as DDoS, spam, adware distribution, click fraud, e-mail harvesting and others, racking hundreds of millions of dollars in profits for their owners.
Maintaining botnets requires issuing constant updates to the compromised computers comprising them. Cybercrooks are constantly looking for ways to make these update mechanisms more resilient to the takedown efforts of security experts.
According to Vincalek's explanation for Network World, the method is rather straightforward and does not require a great deal of technical knowledge. First, an attacker would need to compromise a few websites through persistent XSS or SQL injection, two very common web-attack techniques. After injecting the rogue update code into the pages, their metadata could be altered so that they appear in search results for a very uncommon string of keywords.
The botnet clients can then be programmed so that they search Google for those keywords and get the update code from pages returned as search results. "If the botnet starts using Google for special keywords and finds the code and executes, you can start using Google as the transmission of the code or instructions to these botnets," the researcher noted, adding that he was not aware of this method being currently used in the wild.