A security expert has created a search engine that can find malicious software using Google’s database. H. D. Moore, who is known for his hacking tool Metaspoilt, said his Malware search engine can locate websites hosting malicious files if a person enters the names of a virus or a Trojan in the query field.
Moore, the lead developer for the Metasploit Framework open-source project, a platform for testing and developing exploit code, created a tool and posted code that shows how to use Google to look for specific data strings — which Moore dubbed "fingerprints" — within code already defined as malicious, also launched his Month of Browser Bugs (MoBB) project, which is disclosing a new browser vulnerability every day this month.
The search normally does not yield many results, mainly because Google has not yet indexed most malware. The newly created search tool that employs a fingerprint of the executable code carries out the search using Google.
Earlier this month, Websense Security Labs, a California based web filtering products vendor, had developed a similar tool and claimed it can find thousands of examples of malicious code using Google’s search technology. However, experts said most of the findings were files of malicious nature posted at Usenet newsgroups with false names. Websense did not release its tool to the public as it feared misuse by attackers, which Moore actually credits in his release, since WebSense, Moore said, refused to share the source code.
In addition to publicly posting the new malware search engine, Moore has posted the source code behind the engine in three segments: the Malware Signature Generator; the Malware Google API Signature Search; and the Malware Downloader.
All three have been released under the open source GPL license and have been written in Ruby.
Moore’s Malware search engine is hardly the first effort at what is commonly referred to as “Google Hacking.”
Moore worked with others, including researchers at the Offensive Computing project — who gave him access to their malware database — to create the code.
The San Diego-based Websense recently noted that Google indexes binary files, in particular some Windows executables, and in general terms described how it created a toolset that used the search engine’s API to automate detection of malware and malicious code-infected sites on the Internet.
It is a known fact that Google, which is widely used in searches for informative web pages and documents, can also search through binary information stored in the normally unreadable executable files that are run by Windows computers.
According to Moore, of some 2,400 samples he examined using his tool, 125 contained malware. As many as 90 popped up as part of malicious e-mail messages stored in online e-mail archives. The rest were from websites engaged in distributing malware.
Application security vendor Fortify of late reported that 20 percent to 30 percent of the attacks it recorded as part of a six-month study came as a result of some form of search engine hacking.
Google is not particularly enamored by efforts to use its index for malicious gain.
As part of Google’s efforts to index all of the information online we find that on occasion malicious executable files become available to users through Google Web search, Megan Quinn, a Google spokeswoman, told internetnews.com. We deplore these malicious efforts to violate our users’ security.
When possible, we endeavor to shield our users from these executable files, Quinn added. "However we always encourage users to keep their security software up-to-date to ensure the safest Web surfing experience."
In a July 10 interview, Dan Hubbard, Websense’s senior director of security, said the company would share the search tools only with a select group of researchers. Moore was obviously not among them; in the notes he posted he credited "Websense for refusing to share code."
Moore and Hubbard also disagreed on the danger of publicly releasing a Google-based malware search tool, with the latter holding to Websense’s earlier position of keeping its findings within the security community by distributing them only on private mailing lists.
"I think full disclosure of vulnerabilities is different than full disclosure of ways to find malicious code," said Hubbard. "There is a reason why these mailing lists are vetted."
Hubbard countered that Moore was not finding all there was on the Web because his signature sample was small. "One very simple way to expand the results is to not look for malware, but to look for attributes of malicious code," said Hubbard. "Rather than looking for strings within Bagle or MyDoom, look for the evidence of packers in executables."
While that "irked" Moore, what was more important was that searching Google for malware was not a new code resource for hackers. "They have much more up-to-date archives" of malicious code to use than Google’s results, he said.
Moore’s search tool, which mimics the minimalist look of Google.