May 6, 2013 By Dancho Danchev

New version of DIY Google Dorks based mass website hacking tool spotted in the wild

Need a compelling reason to perform search engine reconnaissance on your website, for the purpose of securing it against eventual compromise? We’re about to give you a good one.

A new version of a well known mass website hacking tool has been recently released, empowering virtually anyone who buys it with the capability to efficiently build “hit lists” of remotely exploitable websites for the purpose of abusing them in a malicious or fraudulent fashion. Relying on Google Dorks for performing search engine reconnaissance, the tool has built-in SQL injecting options, the ability to add custom exploits, a proxy aggregation function so that no CAPTCHA challenge is ever displayed to the attacker, and other related features currently under development.

More details:

Sample screenshots of the DIY mass Web site hacking tool in action:

Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_01 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_02 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_03 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_04 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_05 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_06 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_07 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_08 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_09 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_10 Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_11

Google_Dorks_Mass_Web_Site_Hacking_Tool_XSS_SQL_Injection_12

The tool works both on the desktop as a stand alone application, but can also be integrated within popular browsers in an attempt to fool the search engines into thinking that it is legitimate traffic. It can also automatically detect remotely exploitable websites and exploit them entirely based on the preferences set by the malicious attacker using it.

Its licensing comes in a hardware-based ID form. One license goes for $10 in Liberty Reserve currency, or $11 in Western Union transfer. The unlimited license doesn’t have a hardware-based ID restriction, and goes for $20 in Liberty Reserve, or $20 in Western Union transfer.

Efficiently abusing hundreds of thousands of websites through search engines reconnaissance is nothing new. In fact, it’s been an every day reality since the day market leading search engines started offering advanced search operators to be used. There are several ways through which a cybercriminal can efficiently exploit hundreds of thousands of legitimate Web sites:

  • Search engine reconnaissance through DIY SQL/RFI (Remote File Inclusion) tools, or botnetsDIY tools and botnets performing these actions have been available on the underground marketplace for years, empowering novice cybercriminals with the capabilities to exploit insecurely configured websites, blogging platforms, domain portfolio managing tools, Web forums, as well as CMSs (content management systems).
  • Use of data mined or purchased stolen accounting dataWe’ve seen it in the past, and we continue seeing it in the present. Cybercriminals continue data mining malware infected hosts, looking for login credentials to be automatically abused with malicious scripts and actual executables getting hosted on legitimate websites in an attempt to trick a security solution’s IP reputation process.
  • Active exploitation of server farms – A cybercriminal’s mentality is fairly simple as it has to do with efficiency. The higher the page rank of the infected legitimate website, the better, as the campaign will attract a lot of traffic. However, the high page rank also increases the probability of a successful detection by the security community. What would a cybercriminal do in this case? They’ll take advantage of the ‘Long Tail‘ concept, infecting as many low profile websites as possible. This is theoretically capable of achieving the same traffic volumes as if they were to infect a high page rank-ed website. One of the most recent tactics we’ve seen has to do with the practice of infecting all the domains parked at a specific (compromised) server, through commercially available Apache backdoors.

We’ll continue monitoring the development of this tool, and post updates as soon as new developments emerge, in particular, the introduction of features.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button

Trackbacks

  1. […] Webroot blog post announced that a new version of DIY Google Dorks based hacking tool has been released in the wild […]

  2. […] Version of DIY Google Dorks Based Mass Website Hacking Tool Spotted In The Wild: http://blog.webroot.com/2013/05/06/new-version-of-diy-google-dorks-based-mass-website-hacking-tool-s… Need a compelling reason to perform search engine reconnaissance on your website, for the purpose […]

  3. […] they can buy access to compromised Web servers — or directly compromise them through DIY Google Dorks tools — and instead of monetizing the traffic by serving client-side exploits, they can filter and […]

  4. […] – we’ve already emphasized on the existence of this practice, in our previous ‘New version of DIY Google Dorks based mass website hacking tool spotted in the wild‘ post, and highlighted the commercial availability of these easy to use and highly efficient […]

  5. […] instance, they can buy access to compromised Web servers — or directly compromise them through DIY Google Dorks tools — and instead of monetizing the traffic by serving client-side exploits, they can filter and […]

true