Worms are becoming more virulent at the same time as operating system improvements
try to contain them.Recent research demonstrates several effective methods to
detect and prevent randomly scanning worms from spreading [2, 13]. As a result,
worm authors are looking for new ways to acquire vulnerable targets without relying
on randomly scanning for them. It is often possible to find vulnerable web servers
by sending carefully crafted queries to search engines. Search worms1 automate this
approach and spread by using popular search engines to find new attack vectors.
These worms not only put significant load on search engines, they also evade
detection mechanisms that assume random scanning. From the point of view of a
search engine, signatures against search queries are only a temporary measure as
many different search queries lead to the same results. In this paper, we present
our experience with search worms and a framework that allows search engines to
quickly detect new worms and take automatic countermeasures. We argue that
signature-based filtering of search queries is ill-suited for protecting against
search worms and show how we prevent worm propagation without relying on query
signatures. We illustrate our approach with measurements and numeric simulations.