Using Google to Find Malware - Automatically [just the tip of the ice berg?]
July 17th, 2006 by SecuriTeam, Filed under: Web, Commentary, Virus, Google, Corporate Security
apparently, after google bought the technology to index binary files in html summaries, people can now search google for different key phrases and locate pe (and other) binaries of their choice.
you can play with this as much as you like, finding different packers, strings, file sizes… the sky is the limit. originally, this was brought to public attention by websense, as you can read here and here.
websense shared their code only with closed trusted communities of researchers. they did not release it to the public. hd just released a tool for it.
searching for known malware signatures like hd shows is just the tip of the ice berg…
as an example a friend demonstrated to me, searching google for:
signature: 00004550 upx1
would find almost 10k pe binaries (00004550 for pe) packed / protected by using upx. searching for other packers, as an example, will yield a lot more results.
one can use the google api to search google for signs of malware directly, and apparently the websense guys had a lot of success with that approach.
the great guys over at meatsploit and offensive computing just released a tool for you, plus some signatures in a yet small database. it is limited only to known samples. you can find information about it here:
http://metasploit.com/research/misc/mwsearch/mwsearch.html
use their “search engine” to search for current malware they have signatures for:
http://metasploit.com/research/misc/mwsearch/index.htmlhere is a better link for the search page, which shows you some possible results:
http://metasploit.com/research/misc/mwsearch/?q=.&btng=malware+search
unrelated to their tool… anyone checked some of the results for open directory indexing? 
anyone tried looking for pe files with the wrong extension? (using the filetype: feature as specified below)
the sky is the limit.
there are some corporate and pen-testing uses for this feature to be considered:
a cool google trick, as my friend noted, is using the filetype: search.
filetype:cpp, filetype:c, etc.
adding some interesting words such as microsoft, may turn up some interesting results as well.
another trick that can be tried is using the site: feature of google, and checking your own web pages for hosted malware, either for aup violations or compromises.
that said, google hacking is always evolving and indeed, finding new search strings such as packers, as demonstrated with upx above is the future of this technique.
gadi evron,
ge@beyondsecurity.com.
-
Is your site safe from XSS Attacks? Sig nup for Beyond Security Vulnerability Scanner today!
Subscribe
Subscribe
This is not new. I’ve been doing this roughly for about a year now. A website is/was present with MANY of tricks to use Google in searching for things like mp3s, private exploits, trojaned binaries, etc!
johnny.ihackstuff.com is the website I’m referring to, btw.
It’s a quite extensive database of search parameters to find certain things. It’s quite simple to shift parameters and change things to dig deeper into finding things such as password hashes, etc.
As said, most of this stuff isn’t new, and has been public for a while.
Yep, a lot of it is. Heck, I bet we can even find a paper about it by Dr. Fred Cohen from the 1970’s. That said, no one knew about it until recently - at least publicly, and not on that scale on this subject.
Cool on the MP3’s, etc. though.
i’ve stumbled across this from time to time, and didn’t think too much about it. however, dan @ websense and now HD have really shown what can be done with this. i took HD’s tools and reimplemented them in python:
http://asert.arbornetworks.com/2006/07/googling-for-malware-bobbing-for-mass-mailers/
thanks for kicking this into high gear, dan and everyone else at websense, you’ve really shown how a few simple tools can generate a lot of useful data. i’m busy contacting website owners about their malware, it’s mainly mailing list archives who got spammed by mass mailers, and the attachments are still in the queue.
by the way, google will try and present the imports to any Win32 executable if it can. this means that you can limit yourself to things that call a specific Win32 API, ie “filetype:exe InternetOpenURLA” is a kind of query you can perform. also, dan @ websense point out that google also shows section names. if you know how packers operate, you can easily make use of that, too!
[…] A nice use for what we wrote about a couple of days ago just came up on FD as posted on the cipher blog. […]