Malware Search Engine

Do you remember the post about Google indexing EXE files? Since then many things have happened. Websense, a company that develops web security solutions, has created a tool to identify malicious binaries in Google's index (Mining for malcode with Google - not a permalink).

"Our results show that we were able to collect thousands of pieces of malicious binaries, mostly posted to newsgroups with false names that would normally trick a user, we found many on forum sites, as well as regular personal, educational, compromised, and underground sites. We also found several pieces of spyware on poker and casino sites. We found variants of the Bagel, and Mytob worms, various trojans, and many other malicious binaries. While we do not believe that the fact that Google is indexing binary file contents is a large threat this is further evidence of rise in websites being used as an method of storing and distributing malicious code."


As Websense didn't release the tool, H. D. Moore, creator of Metasploit (a tool for penetration testing, exploit development, and vulnerability research), went on his own and developed a Malware search engine. You just have to type the name of a virus and you can find the queries that produce malware as search results. Some examples: MyDoom, Klez, BadTrans and other worms and trojans. H. D. Moore used some Ruby scripts and Google API to search for almost 300 malware signatures.

Google indexes some headers and sections from the binary, which tell the dynamic linker how to map the file into memory. They start like this:
"WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000"

When performing a query with Malware Search or directly with Google, click "View as HTML" to see what was indexed by Google. If you click on the title, you'll download the (potentially) dangerous file. This is not a very big issue, because the queries that trigger EXE files are not too common.

Labels

Web Search Gmail Google Docs Mobile YouTube Google Maps Google Chrome User interface Tips iGoogle Social Google Reader Traffic Making Devices cpp programming Ads Image Search Google Calendar tips dan trik Google Video Google Translate web programming Picasa Web Albums Blogger Google News Google Earth Yahoo Android Google Talk Google Plus Greasemonkey Security software download info Firefox extensions Google Toolbar Software OneBox Google Apps Google Suggest SEO Traffic tips Book Search API Acquisitions InOut Visualization Web Design Method for Getting Ultimate Traffic Webmasters Google Desktop How to Blogging Music Nostalgia orkut Google Chrome OS Google Contacts Google Notebook SQL programming Google Local Make Money Windows Live GDrive Google Gears April Fools Day Google Analytics Google Co-op visual basic Knowledge java programming Google Checkout Google Instant Google Bookmarks Google Phone Google Trends Web History mp3 download Easter Egg Google Profiles Blog Search Google Buzz Google Services Site Map for Ur Site game download games trick Google Pack Spam cerita hidup Picasa Product's Marketing Universal Search FeedBurner Google Groups Month in review Twitter Traffic AJAX Search Google Dictionary Google Sites Google Update Page Creator Game Google Finance Google Goggles Google Music file download Annoyances Froogle Google Base Google Latitude Google Voice Google Wave Google Health Google Scholar PlusBox SearchMash teknologi unik video download windows Facebook Traffic Social Media Marketing Yahoo Pipes Google Play Google Promos Google TV SketchUp WEB Domain WWW World Wide Service chord Improve Adsence Earning jurnalistik sistem operasi AdWords Traffic App Designing Tips and Tricks WEB Hosting linux How to Get Hosting Linux Kernel WEB Errors Writing Content award business communication ubuntu unik