Research

Google Dorks: fighting fire with fire

During my recent research into PHP backdoors, bots and shells, I came across a few IRC servers which looked pretty suspicious. After lurking in these channels I noticed that most of them were all about controlling botnets, automated exploitation and credit card fraud. This isn’t news – channels and IRC servers like this have been a hot media topic for the last five years. The question is, though, how can we find them so we can shut them down?

Digging a bit deeper in some of the channels, and looking the websites people were talking about in these channels, I started to see patterns. For example, some of the websites use the same words, phrases and layout. By combining these terms and creating a simple rotation algorithm I could use search engines to find websites offering illegal stuff such as credit card data and skimming tools.

It’s not just the websites that use the same words and phrases. The IRC channels also use kind of the same information. Some IRC channel information actually gets indexed by bots, and if the owners of these websites use any semi-public IRC network, their channel will get indexed. Looking at, for example, the color schemes in channel topics, or specific words and phrases, it’s extremely easy to find these sites through simple search engine queries.

But I found out that instead of identifying the actual IRC server, you can identify the backdoor a hacker has installed on a compromised host. Most of the backdoors I identified were either written in PHP or Perl. The bots written in Perl were, in most cases, downloaded and executed by a PHP backdoor. Since the PHP backdoors are web based, even they are indexed by search engines 🙂 So through these search engines you can find the backdoors, and the backdoors have the function to read arbitrary files, which makes it pretty simple to read the source code of the backdoor or IRC-bot, which contains specific information about the relevant IRC server!

Looking at some backdoors, I noticed that they don’t just install other backdoors, they also install phishing websites. The backdoors led me on a trail which ended up at a website offering a complete archive of phishing websites – BankOfAmerica.com, WesternUnion.com, PayPal, CITY Bank etc.

What’s quite ironic is that these hackers use something called “Google Dorks” to find vulnerable sites, but we can also use “Google Dorks” to find the attackers and their IRC channels.

And a funny footnote: while writing this, I was listening to a song by the drum ‘n’ bass band “The Qemists” where they sing: “If you play with fire, you will get burned” 🙂

Google Dorks: fighting fire with fire

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox