Are you Feeling Lucky?

Posted by Gunter Ollmann on April 24, 2008 at 6:33 PM EDT.

Given the proliferation of site’s infected with malicious drive-by download attack code, it’s about time to retire Google’s “I’m Feeling Lucky” search button isn’t it?

While mass defacements have always caused consternation with the security community, the dramatic increases in mass attacks this year are more worrying than usual. Unlike previous years in which the objective was to post some kind of message for the world to see, today’s generation of mass attacks are profit driven and seek to subtly inject sites with hidden iFrame encapsulated URL’s which subsequently cause malicious JavaScript to be executed within the victim’s browser – thereby propagating malware through a drive-by download vector.

Over the last couple of months we’ve been observing weekly defacements number in the hundreds-of-thousands. The specific vectors change every few weeks. For a short while it was though ISS-ASP-SQL vulnerabilities, the next it is through Search Engine Optimization (SEO) injection attacks, and today it’s being reported that more than half-a-million sites have been infected through a simple SQL injection vector.

Several years ago I commented on the potential dangers related to the way people used search engines for accessing their online banking portals – i.e. the URL’s and site names were so hard to remember that banking customers were simply typing “mybank online” or similar in to their favorite search engine and clicking the first or second link on the results page – kind of like an alternative DNS infrastructure. At the time I pointed out that even simple SEO attacks (or page rank escalation) could advantageous to phishers.

Now, since just about any popular Web site appears to have an equal probability of containing an embedded drive-by download link, the risk is greater than ever in blindly following links between sites. It’s for this reason I think it may be a good idea for Google to consider retiring the “I’m Feeling Lucky” button.

Sure, we’ve all played with the “I’m Feeling Lucky” button on slow and boring days. But in today’s drive-by download world I've got the feeling that ”luck” is probably a depreciating commodity as far as the Web is concerned.

As Clint Eastwood once said in Dirty Harry, "you've got to ask yourself one question: Do I feel lucky? Well, do ya, punk?"

    Copyright 2001-2008 © Gunter Ollmann