TELECOM Digest OnLine - Sorted: Search Going on for Hidden Google Malware

Search Going on for Hidden Google Malware

Robert McMillan, IDG (idg@telecom-digest.org)
Sun, 23 Jul 2006 00:07:48 -0500

Robert McMillan, IDG News Service

A well-known security researcher has released code that can be used to
mine Google's database for malicious software.

The tool is similar to one developed by Web filtering vendor Websense
last week, but which was not released to the general public. Websense
said that making this software public could lead to its being misused
by attackers.

Using a database of digital fingerprints of known malware -- called
"signatures" -- the Malware Search tool uses the popular search engine
to find a number of known worms and viruses. It was developed by HD
Moore, the researcher best known as the developer of the widely used
Metasploit hacking tool. Moore's tool, was posted early Monday.

Though Google is widely used to search the Internet for Web pages and
office documents, the search engine also can peek through the binary
information stored in the normally unreadable executable files that
are run by Windows computers. Google won't say when it added this
feature, but it has gained the attention of security researchers over
the past three months.

Moore built his tool to help shed some light on how much malware was
actually being indexed by Google, he said. His findings: not much.

When the security researcher examined a sample of about 4GB of
executable code, he found that very few of the programs were
malicious. "You can search for malware, but it's not a big risk," he
said.

Of the approximately 2400 samples he examined, 125 contained malware.
More than 90 of these popped up as part of malicious e-mail messages
stored in online e-mail archives. The rest of the samples came from
Web sites that were actively distributing malware.

Attackers Disappointed?

So any attacker that might be looking to find new sources of malware
using Moore's tool will probably be disappointed.

"Attackers have much better sources of malware and the items in the
Google index are not recent or useful," he said. "If anything, the
Google index is a great tool for determining who distributes
malware -- the actual malware in question is not that interesting."

Though some have speculated that Google's ability to search through
executable files might allow it to create its own shareware and
freeware search service, Moore said that Google has not yet indexed
enough files for this to be useful.

Three months ago, Google had indexed about 30,000 executable
files. That number has now risen to about 112,000 samples, he said.

"Considering that they're Google, you'd expect better results," Moore
said. "If they could grow their index of executables to some sort of
useful amount, then this would be really useful," he said.

However, without some way of weeding out malicious software, this kind
of service could be misused by attackers to trick users into
downloading worms or viruses masquerading as legitimate downloads,
Moore said.

Google declined to comment for this article except to say that it is
aware that users can find malicious executables via its search engine,
and is making an effort to shield users from this code.

Copyright 2006 PC World Communications, Inc.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: mjb920: "Laptop Phone Calls With Digital Phone Service"
Go to Previous message: John E. Dunn: "Fake Google Site Has Trojan Horse Waiting"
Next in thread: mc: "Re: Search Going on for Hidden Google Malware"
May be reply: mc: "Re: Search Going on for Hidden Google Malware"
TELECOM Digest: Home Page