Web Worms Can Google, Too


By Alex Salkever Google sometime ago earned its reputation as a technological master of the online universe. The planet's biggest and most powerful search engine made quick response to Web queries a point of pride, even listing the response time on the search page. To shave seconds off the response time, Google spent tens of millions of dollars building exotic software and spreading its specialized hardware across the globe. No response at all was unthinkable.

Yet on the morning of July 26, new variants of the so-called MyDoom computer worm laid bare troubling chinks in Google's digital armor. On the day Google was hoping the world would focus on what it expects to get for a share of its stock when it goes public next month (see BW Online, 7/27/04, "Google's IPO: Asking Too Much?"), the search engine crawled to an embarrassing halt. A barrage of search queries from machines infected with the worm significantly reduced Google's response times.

BOGUS OR LEGIT? According to Internet performance tracker Keynote Systems, the outage and slowdown started around 9:30 EST and concluded three hours later. During that period, untold numbers of Google users got error messages when they queried the usually reliable search engine. Others waited for long periods to get their results from Google's servers.

Google issued a statement saying the attack was brief and easily controlled. But the incident illustrates that a determined spammer can bring Google's network to its knees with a relatively small army of hijacked PCs. That's a troubling prospect for a company about to go public based on a business model dependent on its core ability to deliver reliable, lightning-fast search results around the clock.

Equally troubling, the MyDoom outage could foretell a future when Google will increasingly struggle to differentiate bogus queries from legitimate requests as worm attackers get smarter.

MULTIPLE LIVES. Some experts think the situation during the attack grew so dire that Google disabled its own search network while trying to combat the massive stream of queries. "It seemed like they did take things down to figure out what's going on," says John Pescatore, a computer-security analyst with tech consultancy Gartner.

Originally crafted by a German high school student in January, 2004, with the explicit purpose of denying access to servers of SCO Group (SCOX) because of its dispute over the Linux operating system source code, MyDoom has lived on as hackers have rebuilt it multiple times. The current versions, MyDoom "O" or "M", are only the latest. All MyDooms, however, have packed an insidious wallop. Like past versions, the current one spreads via attachments to e-mail that seem to come from co-workers, friends, and family. When the unsuspecting recipient clicks on these attachments, MyDoom loads software onto those PCs.

The software then hijacks the PC for nefarious purposes. The first MyDoom streamed meaningless data at SCO Group's Web site, effectively knocking it offline. The current version directed queries at Google in an attempt to harness the search engine to harvest even more e-mail addresses from the Web and build up a bigger network of compromised machines. Each MyDoom query searched for e-mail addresses that shared the same domain name as those stored on the hijacked PCs.

HARDER TO RECOVER. In that sense, MyDoom inadvertently overwhelmed the search engine, which in some ways, was worse than a direct attack. An old-style denial-of-service attack would have looked like the same data coming from lots of different computers. In the case of MyDoom, the barrage looked like slightly different data coming from lots of individual PCs. And searching for e-mail addresses is a very common behavior among Google users. "MyDoom made it much harder for Google to recover when you look at the way this thing worked," says Pescatore.

Google issued a statement during the attack saying the search engine "experienced slowness for a short period" but insisted that "at no point" was it "significantly impaired."

The July 26 attack underscored how vulnerable Google is to Web worms. And it likely lost hundreds of thousands in pay-per-click advertising revenues, its bread and butter, during prime East Coast business hours. These sales made up roughly three-quarters of Google's revenues, which hit $1.4 billion in the first half of 2004, according to analysts and Google's filings with the Securities & Exchange Commission as part of its initial public offering process. Regular outages like this could put a dent on those revenues.

INSIDE THE TENT. Unfortunately for Google and other pay-per-click players such as Yahoo!'s (YHOO) Overture unit, overloading a search engine for unscrupulous data-harvesting sessions could become more common. The steady stream of worms has left behind hundreds of thousands of hijacked PCs that can be activated for the next attack. Today, the source code for worms and viruses is now much easier to locate, copy, and modify than ever before, thanks to the fairly common practice of releasing the code on the Internet.

Furthermore, by opening up its search technology to software engineers who use Google to build their own customized online search functions, Google has given spammers and other ill-intentioned players a ready way to tap into Google's vast data vaults for leads or other useful information.

At the same time, the emergence of cyberthugs renting out networks of compromised PCs to spammers and others on the dark side of the Web means the MyDoom and its ilk can be used to accumulate valuable online assets and not just wreak havoc. "Spammers have concentrated more on viruses...but they could resorts to more attacks like MyDoom, considering how successful this appears to be in harvesting e-mail addresses and PCs," according to Hoala Greevy, CEO of anti-spam company PauSpam.

TEMPTING TARGET. True, no one believes that MyDoom or other attacks like it will ever threaten Google's business. And the dozens of computer-science PhDs working in the Googleplex are now focusing on how to respond to attacks in the future. Already, Google limits the number of queries an individual PC can place each day, putting a 24-hour ceiling on the type of damage MyDoom and other worms can cause.

Still, Google has now shown what a tempting target it is, and that will likely draw more attention from cyberspace's bad guys in the future. As Google prepares to go public, that's one more thorn in its side. Salkever is Technology editor for BusinessWeek Online


American Apparel's Future
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus