H.D. Moore, creator of the Metasploit hacking tool and the security researcher behind the MoBB (Month of Browser Bugs) project, has released a search engine that finds live malware samples through Google queries.
The new Malware Search engine provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.
The release of the search engine was motivated in part by a recent announcement by Websense Security Labs, of San Diego-based Websense, that it was using the freely available Google SOAP (Simple Object Access Protocol) Search API to find dangerous .exe files sitting on Web servers.
In an interview with eWEEK, Moore said he worked with researchers at the Offensive Computing project to create the code after learning that Websense was only sharing its research on private security mailing lists.
“My Web interface will identify specific malware without the Google API. It directly searches Google using fingerprints from executables that we already have,” he said.
Moores project uses code strings, or fingerprints in malware samples, then runs a search on Google for those characteristics.
The search engine has been programmed with about 300 malware signatures and Moore said he plans to add another 6,000 signatures in a future bug fix update.
Moore, who works as director of security research at BreakingPoint Systems, based in Austin, Texas, said he was surprised to find that the number of executables indexed by Google was much less than the figures thrown out by Websense.
“I managed to get a copy of the Websense code this morning and the code itself is useless. There are no signatures. Theres no way to identify malware using their tool unless you know what the malware is,” Moore said.
He said Websenses claim that it was finding malicious code executables on thousands of Web sites could not be verified. “Were actually looking for known executables and were not finding anything close to those numbers. The reality is that Google doesnt index that much malware. Not even close,” Moore said.
In a July 10 interview with eWEEK, Dan Hubbard, senior director of security and technology research at Websense, said his company was finding thousands of hacker forums, newsgroups and mailing list archives hosting malware executables. “While we do not believe that the fact that Google is indexing binary file contents is a large threat, this is further evidence of a rise in Web sites being used as a method of storing and distributing malicious code,” Hubbard said.
In Moores malware search engine, a query for the virulent Bagle worm returned 20 results, most from list archives hosting what appear to be screensaver files.
The engine, which uses fonts, colors and a logo that resembles Googles, will also provide results for simple keywords like “email,” “trojan” or “keylogger.”
Moore said he does not plan to spend too much time on the project unless Google starts indexing more malware samples. He has released the code for a malware signature generator, a malware Google API signature search and a malware downloader, and expects others to build on his work, he said.
Websenses Hubbard said he was surprised by Moores claim that the company was not sharing its information. “As per our original statements we have shared this information with hundreds of researchers around the world and have posted it into several mailing lists. We have also received gratitude from several researchers for creating a useful tool to assist in the war against malicious code,” Hubbard said in an e-mail exchange July 17.