Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Metasploit Creator Releases Malware Search Engine



 By: Ryan Naraine
2006-07-17
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Challenging recent findings by Websense, the security researcher behind the "Month of Browser Bugs" project releases a search engine that locates live malware samples through Google queries.

H.D. Moore, creator of the Metasploit hacking tool and the security researcher behind the MoBB (Month of Browser Bugs) project, has released a search engine that finds live malware samples through Google queries.

The new Malware Search engine provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.

The release of the search engine was motivated in part by a recent announcement by Websense Security Labs, of San Diego-based Websense, that it was using the freely available Google SOAP (Simple Object Access Protocol) Search API to find dangerous .exe files sitting on Web servers.

In an interview with eWEEK, Moore said he worked with researchers at the Offensive Computing project to create the code after learning that Websense was only sharing its research on private security mailing lists.

Read more here about how Websense mines for malware code with the Google API.

Resource Library:
"My Web interface will identify specific malware without the Google API. It directly searches Google using fingerprints from executables that we already have," he said.

Moores project uses code strings, or fingerprints in malware samples, then runs a search on Google for those characteristics.

The search engine has been programmed with about 300 malware signatures and Moore said he plans to add another 6,000 signatures in a future bug fix update.

Moore, who works as director of security research at BreakingPoint Systems, based in Austin, Texas, said he was surprised to find that the number of executables indexed by Google was much less than the figures thrown out by Websense.

To read more about H.D. Moores "Month of Browser Bugs" project, click here.

"I managed to get a copy of the Websense code this morning and the code itself is useless. There are no signatures. Theres no way to identify malware using their tool unless you know what the malware is," Moore said.

He said Websenses claim that it was finding malicious code executables on thousands of Web sites could not be verified. "Were actually looking for known executables and were not finding anything close to those numbers. The reality is that Google doesnt index that much malware. Not even close," Moore said.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

In a July 10 interview with eWEEK, Dan Hubbard, senior director of security and technology research at Websense, said his company was finding thousands of hacker forums, newsgroups and mailing list archives hosting malware executables. "While we do not believe that the fact that Google is indexing binary file contents is a large threat, this is further evidence of a rise in Web sites being used as a method of storing and distributing malicious code," Hubbard said.

In Moores malware search engine, a query for the virulent Bagle worm returned 20 results, most from list archives hosting what appear to be screensaver files.

The engine, which uses fonts, colors and a logo that resembles Googles, will also provide results for simple keywords like "email," "trojan" or "keylogger."

Moore said he does not plan to spend too much time on the project unless Google starts indexing more malware samples. He has released the code for a malware signature generator, a malware Google API signature search and a malware downloader, and expects others to build on his work, he said.

Websenses Hubbard said he was surprised by Moores claim that the company was not sharing its information. "As per our original statements we have shared this information with hundreds of researchers around the world and have posted it into several mailing lists. We have also received gratitude from several researchers for creating a useful tool to assist in the war against malicious code," Hubbard said in an e-mail exchange July 17.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Metasploit Creator Releases Malware Search Engine
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8c=mG-9֎my-%L*EB%);'ΗSOx-NsN-`n4w~ IM˙Kל۔\sPç}$5]2i*_ d&@ jہ)}mk4 uB;{#|6S%߽w *s=NN5KԚLÆ|g&$ƾl dkdp,FcwO dr@'AjZ$6m(GJ|,ZB;"?*B43 \2ITߦuB)~{Te䆡;g? CKt/"(?c&c?9;~'f^B(ƻFՉziZg#2]hj:TN`Uƞfn =KQF3r;BM*-M Dƞ4ICKd#˝̒JKA`:rm3G@]õ]Z.R͌eCwtPOMҷB($g >v?&R IgK[aW+)K0~b[4IƒN8CEnOuؾtwyDfjt˜HJo~cns(p}=\'BL}:n/GEӝÌfؖqWth(ݱV*Z]QKrP);?Wcm9NeW4wFs˯ j^~pdv4򺮕CM;;yԼ}  d}+5*%`ZJdz4_S::Ygn\"yd[^ Kk%٥~lY̞ofVҘ gUUYNA[~6tnCn l,aV4*2V]鮙ȏA}|q۽jnwCڝNY; i f׵V?܌/x?lrO,.iTW%32uLCxE$Y-r{&8\^Cj ݖUB_*Dȟ/Rzhf5 t @CX&%2ɌSHu t:e9AcM'C6kiJuV!`FCܺoN49(蟩$m4@r5)6B̄H )'7R>ߦ,-|y"brݢHPs>Χ+foF"> 23yB(&pHqb&μbO૖yx>zY[5'jtamE՘is_ӲKwI|IwNz߁)WICKEhYf7-wIqM}{QU1W*P\?.Ëʡb(7ZdL,5,{LtlA`:g1>QӚ#qRO#Gs>H2胎6mb8-" ,70}Hw@zqI 4wX8|}ZcO6/|\a֌^i$>6(Z\?` VCf@B랂9׿ޚA"Qޚґ4a qj 8=*~s=w}   @lgk6G~[>l0s٣N\KQo m2)%%E2 EEKy3@ $h-4O`z.,mbo$?HXVphTݞHp'PT>Wh&3aGe-n^ d6gF2+LYG0-&D7rb.G E7Kᙖ6FlY.+ǚvXçc&tc˰` @ }= 3ܲM҂%Ll;!i`2Ґ(e`9ޟFa]:<f335{80q}`] ktӴ٦͙qjS;_Aa"tLeB#`9N{S^g[,:L:%qGnz]:0s> k2'yv=g.Q1jWuϙ_N#kۖsM+ jJ=WsFA|5i!sL&Ze on<Gy5&㓫(\=P=Дfkb*q (> uP\O ō4BЊOW}?ٲZbY6(U7v/KƠR9߮ R[kҁ K rLZԵ1D4$"] `}.eOqHLīl-m7D=t=0_ܰ탡K*+ G,mk9^a5sV@6@@7hM TlVCax=ZAwm=_T\v /*||2ː 7um CO5,v&ff:X[' +ȁUzqڋgpp0uVׅ=% ._8g7i+@oLsCm0 ǖ "^l"{_=)V}B~* iO5 &^PGe d^ `M`Rc׶݇| :lF֝BQZ>-B.-g \\ipf^DZLhKgAqA0*L\y.rV~ 2qÝa&1 DR)Ö13wdio&{םT'/咢TS< ֚pDr@uߘʓ@gӐah"pHEAxZhp B@U.)L-9Hz -[ hg [Qzn3Cz+ `RI?I BL!2Bsݧ}=1g匬`"{ dRPZUU+Zp~W`s<(yO?b5xx /OqCvPClKg!n8c0SMw+\ >'<\VaQSƖ=4FXXoH]-'L͎'OCRIS,dTP9ufj?XEx dEM]pCNy!+pDZ\PV`.n )pe&zoɺITNȑ1[DG` nuESUGK;+]W" V@Q: A\=< `QtEa&NiCM; PwE-~O9b:Xpkd豸< QB|l8pL )h UK*~mϻ{/J.4F@2<"#8\fS>xtVPBK!nΚ77/=Ǐt"9ygm2%8z.0JM;%9 $ہ3FnEf۴s:i&2106E-0P>O\մJ ߗ,09>|6Œu8Yۄ`gsV`pl1\GA>э'a*r1g6~zi1b`{7=;#[(4OQ5rRl2y6PC*lγ>AqHlBO//'Wa9L97=RJ 2=cte>ugc5NZ:<*C)TʜYe/(QUmq'F.҂^ߍK]bRvYLvLʪHG٭TS82V6ZZaoaqVZF3HU EM#/ PNFC~g$2@|)AU%UHU*J5}Urk4rO,ش,>6W"h -z; ezzX-,sK"hJgԋ_q[rn)ty4ņ5ѣ(4CFup0 O+os{KIlϱkK{@u?3RlɪV?T%봺%I?NM= h+QcOBWuṚo{{C4÷,L)~39Ȕ)xT-kZb[Ԫc"i!`0\V+) ,%~W9@` |ZUjrF22@BZNbx<'b{H 'npLaV*S7oA!Rē#$ |C*ͤ D;}ZTe7&# 111u?|ya`zY+oSP@/I6 \C.:;bd~G]Itkn{p~DJۧ>] e1a\zF_j,8Eψa6F4ZGSk5/q֭ Bf-.3ۿĄBAZΎy(@RPOh5[#ES|$;3^ZIh !:Ua2"(BShDO§,9ݴ8S%j7 E/JN~N[ҷoDW蘧K7tEdW(x,VfsF;HzNbp j_tESr!F,/Dec]Zimsz{DiR'D[3pu*hKhw^Y ]s>ͥ`L̴M\gwh^PD(WVp9c㻞Xa*/q)y A ̯> H-@^ FP ߼=oq>p]9Qz AC~oM}\0n7~v6rO07)۽l9niimǡ8-0^l"4P$EUՊZFrVU $]eNFftZt@2&\%3ٌ<яki^d̠t+R!ekEwWSU+KT7ڲ&E%:mחF}޿ BĬxBw2h덧w̷kL>dOc@/ulvd5t` aAXŀ0Vo lϸp@ s8<O[euw+[S'gSc;/HF#xoy(6-lG@|P ;a6 *|b1 \<U) Wo[1΢$G |o(o'򽥎xk6RSg/9;L_lZS|  \(.FӞ܊MQ@(2.mE>zQ%Fc?YS+xϗiL@g4ۺg YrꀮRCy_[;tڰkKz!$`!~`ӯF BI2p=*C;9<<~6 KTFzDwD ó^h4_P?-S̃PKeM)};\|P sώb; bВ>Z< m?s=`Sק֠ʡZU)Y#<N=ꄜ[`y5[ 'c[$P$!"y {ynYO-T0 %nlf!良 ,Me"`f>1KNw2@}\I |[|?X>N{`(}$IMΘN8(_BlNAW7AgZFMTN2 4pW[H&G| T!gikRuL-J #1q(V8ur;3&K* /VJfڟ,גrg M%ZJd^I?yF^\U{’JۧhJi")6decDHo$m%/R[,NddNS%`@ HAv}ubΤMj7' [m5#EŴR0%q^2,r@lp\A(]чLvP:E%)X́txdKiLJe!b(O=<6I D%.r,CyV4%W@Dίy.y*)5IM3|lglZhXҀ飘Kq^Yԉx7"fBtT#,Ǭh@+o烓9a{ e8B3#_:tf ~ D0 0/v@=z{L[W}TKJ _o%Î(E%'pei[}A,r|SߝQڞ5B#kF dɅEn\Y&kkIHs!<]MR4v<y]O݇@z(Iݙ!1[V:I!7ֽnJe)o(^̑W :a.I{n-`d3ůģ Wml!n/3q-E M`%݁^k[kgы89;`p$pD+*D=G~j|[ :SO]8"aN|UX!;DIFkDl5V5)A )X),URMo}a] <eH 8+/D%m4wgK6ޫ+וXcǾGM*.wx7v«Mͭm9/m&,J:e'1F@:e&֜3#B̠o3 v8GncsZߺ%aycwauP<Ax7*,de{{cŵmͯv'VUg7G/a_gV\Qs \gBW{oK ߃Rs:̝EVLѼ1A8mC|GvjccB%㵙vmVx{ŷi3^`W۲:pX0ʼny0m-mĬә{OWR+eyX -}-wRMt=y,DC2ĆLZQ+i錃ql ^X1gL4 kx.(6(5J7{/$rpB+m'rMzX sZ4G|-^/Em/^+8El*=6)R Ǯ"JfadH}$ƽZlE}`Lh긾\/q[a(3VGBA8AXJo,"%xa quQ%ϤHFpxIYL˃3^A=sf41%!]q>ƘKjteVSR%J,w%[dLo 9=Қ0&^OE*ނ0H>PSd%[ UH+40+G8i1=Hsr3#mz^C GJk&GavDwe|W@O[fkhP♛U֝uؓRcS-*);,Ou%-ML6,x[+x6_f~R!gI] 0!5C^UX+)Z{ʋzhxf˛8(-zp׳GjWb1+ x.5!o[I{m>8b9gŧ6_`i7t]kt+ 7s>_d3B{w^1~"jsas)ʒ2;D/0̊ۊRo5Jۥ]aYJ"%N09ݱX z=jX:N#RV¯m^fVܞUkN`d ObD))o3윶AcB$!i?/7W}P)a#{~Lƞ Dƴ"c)41GJ[#1}ɹgM:vJE< ,iMmahnoE?pbZ1Ř!bl͈)i8I41An~@>LQXj*!b3wاX, kG~Hm*R'xvqU@y+LL͂zĂ![C P?5DF·:=xs;%̌S,0 @uA"\2},Gyaa2?y :Q̬5zy6t(QS1U&F.{,n ѩrPh$`x=9aicta~X{SdO (  @Ka1c~Po֔J$2 >*%>gٕa)걪VR? (^' ;UeK=M镬B*%^Șq~/4 :1s7\`ڇ'rֻ!-rvMz]E9a[k |폺SwNzOOgݫMjPhY>|iKym2/*(H].;NSʙ٦΄ksYx9%E:wf8l z$G(%lGyї51ũ2M؂/LLNS+t?ʼnt|YjyҫP/#Z"j0FIg r!>w.:һIJ/./r_r_sofsi 8Sރ^N9r`syh䔟B3Y}C([hw7wۅfS3ݫr7 _9埠 K2K{CKe}./?/s2?QFrsϡs ro(_r#+>1~P~W{ÿmN9$)gVqv*esS^)4OrR}~ )PWg9PϪ ~2:R@~W~ kN+ťfW*7yKxM}%kg[F1iu}WG{1:,y& )htVydSrbye?VRRw;]Cڤ\z.{]r-Xѧ^5_9x=* u=}٘o/(c#h6 .Ǒrۿ剹?|k2yi8L?{W].6tqS0n,0 4` K}VexvY^][j7mϋ1y}2So١Oh]ߚč,1{ %h00(\/F>&9d<[`?Znam7'4`tnZ{gd닰Yʪ9(Ѱ~H+"79<R9g!螩z$J {4"ބeа- i7IղVJZ8~O+A"ðèITMVYi2ZU9k%PPeh[i2oVS yVi8n[z"z5~B@N,1"ٽ/cA6of)3^46T<gM~ o'2Pd Sebb{ˈLbT|Jx Oq 9&X.>&]\ʠaCao/Yb+F;cp\;=2 gd?, {Ӗ`i,*>Xv7i\X+$LfLe~c^'Of@L V$)0>t zCcjd9Mk +P<ീ8ۈqeA(we6Lm (~%.,wjs/0!)gxt1d`6Nώ;[; uu7В_u/TB# l_Hx fB~n.'13d⟒GN*Maџ eF`O]׈nBaIg ?&{l a"q0ug'4WBMxn5m&$rq;%hw2b59әd_yfȅ^b\YGl+n:' wX{EkPY{鈇T7uG??;'ovˌRh\*.Io;烣5ŧMFnғ/ozRTFYZP$DM Rz׭v{>]/7 ~s Whc<3xL -2VjwN㛾VtƦI:1qzr륭.{Q'b(5lS2G4K_jj*JlTɩY;~XXqg;f†[hx.b&;f1ԲbUz݁*