Google Hacking Malicious Code

Document Sample
Google Hacking Malicious Code Powered By Docstoc
					Google Hacking Malicious Code

Written by Rahul Chatterjee
Thursday, 06 July 2006 18:00

A security expert has created a search engine that can find malicious software using Google's
database. H. D. Moore, who is known for his hacking tool Metaspoilt, said his Malware search
engine can locate websites hosting malicious files if a person enters the names of a virus or a
Trojan in the query field.

Moore, the lead developer for the Metasploit Framework open-source project, a platform for
testing and developing exploit code, created a tool and posted code that shows how to use
Google to look for specific data strings -- which Moore dubbed "
" -- within code already defined as malicious, also launched his
Month of Browser Bugs
) project, which is disclosing a new browser vulnerability every day this month.

The search normally does not yield many results, mainly because Google has not yet indexed
most malware. The newly created search tool that employs a fingerprint of the executable code
carries out the search using Google.

Earlier this month, Websense Security Labs, a California based web filtering products vendor,
had developed a similar tool and claimed it can find thousands of examples of malicious code
using Google's search technology. However, experts said most of the findings were files of
malicious nature posted at Usenet newsgroups with false names. Websense did not release its
tool to the public as it feared misuse by attackers, which Moore actually credits in his release,
since WebSense, Moore said, refused to share the source code.

In addition to publicly posting the new malware search engine, Moore has posted the source
code behind the engine in three segments: the Malware Signature Generator; the Malware
Google API Signature Search
; and the
Malware Downloader

All three have been released under the open source GPL license and have been written in

Google Hacking Malicious Code

Written by Rahul Chatterjee
Thursday, 06 July 2006 18:00


Moore's Malware search engine is hardly the first effort at what is commonly referred to
as “Google Hacking.”

Moore worked with others, including researchers at the Offensive Computing project -- who
gave him access to their malware database -- to create the code.

The San Diego-based Websense recently noted that Google indexes binary files, in particular
some Windows executables, and in general terms described how it created a toolset that used
the search engine's API to automate detection of malware and malicious code-infected sites on
the Internet.

It is a known fact that Google, which is widely used in searches for informative web pages and
documents, can also search through binary information stored in the normally unreadable
executable files that are run by Windows computers.

According to Moore, of some 2,400 samples he examined using his tool, 125 contained
malware. As many as 90 popped up as part of malicious e-mail messages stored in online
e-mail archives. The rest were from websites engaged in distributing malware.

Application security vendor Fortify of late reported that 20 percent to 30 percent of the attacks it
recorded as part of a six-month study came as a result of some form of search engine hacking.

Google is not particularly enamored by efforts to use its index for malicious gain.

As part of Google's efforts to index all of the information online we find that on occasion
malicious executable files become available to users through Google Web search, Megan
Quinn, a Google spokeswoman, told We deplore these malicious efforts to
violate our users' security.

Google Hacking Malicious Code

Written by Rahul Chatterjee
Thursday, 06 July 2006 18:00

When possible, we endeavor to shield our users from these executable files, Quinn added. &qu
ot;However we always encourage users to keep their security software up-to-date to
ensure the safest Web surfing experience."

In a July 10 interview, Dan Hubbard, Websense's senior director of security, said the company
would share the search tools only with a select group of researchers. Moore was obviously not
among them; in the notes he posted he credited "Websense for refusing to share

Moore and Hubbard also disagreed on the danger of publicly releasing a Google-based
malware search tool, with the latter holding to Websense's earlier position of keeping its findings
within the security community by distributing them only on private mailing lists.

"I think full disclosure of vulnerabilities is different than full disclosure of ways to
find malicious code," said Hubbard. "There is a reason why these mailing
lists are vetted."

Hubbard countered that Moore was not finding all there was on the Web because his signature
sample was small. "One very simple way to expand the results is to not look for malware,
but to look for attributes of malicious code," said Hubbard. "Rather than looking for
strings within Bagle or MyDoom, look for the evidence of packers in executables."

While that "irked" Moore, what was more important was that searching Google for
malware was not a new code resource for hackers. "They have much more up-to-date
archives" of malicious code to use than Google's results, he said.

Moore's search tool, which mimics the minimalist look of Google.


Shared By: