New Search Engine Targets Malware

Metasploit creator releases tool that searches Google.

HD Moore, creator of the metasploit hacking tool and the security researcher behind the Month of Browser Bugs, or MOBB, project, has released a search engine that finds live malware samples through Google queries.

The new Malware Search engine provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.

The release of the search engine was motivated in part by a recent announcement by Websense Security Labs, of San Diego-based Websense, that it was using the freely available Google SOAP (Simple Object Access Protocol) search API to find dangerous .exe files sitting on Web servers.

Besides SOAP, the Google API uses WSDL (Web Services Description Language) standards to offer developers an easy way to run search queries outside of the browser. Because of the way the search engine indexes executables, Websense was able to create code to look for strings associated with malware packers.

Dan Hubbard, senior director of security and technology research at Websense, said the use of the Google API started as an experiment after bloggers noticed that some Google search queries were returning .exe files.

In an interview with eWeek, Moore said he worked with researchers at the Offensive Computing project to create his search engine after learning that Websense was sharing its research only on private security mailing lists.

"My Web interface will identify specific malware without the Google API," Moore said. "It directly searches Google using fingerprints from executables that we already have."

Moores project uses code strings, or fingerprints in malware samples, and then runs a search on Google for those characteristics.

The search engine has been programmed with about 300 malware signatures, and Moore said he plans to add another 6,000 signatures in a future bug-fix update.

Moore, who works as director of security research at BreakingPoint Systems, of Austin, Texas, said he was surprised to find that the number of executables indexed by Google was much less than the figures thrown out by Websense.

"I managed to get a copy of the Websense code this morning, and the code itself is useless. There are no signatures. Theres no way to identify malware using their tool unless you know what the malware is," Moore said.

He said Websenses claim that it was finding malicious code executables on thousands of Web sites could not be verified. "Were actually looking for known executables, and were not finding anything close to those numbers. The reality is that Google doesnt index that much malware. Not even close," Moore said.

In a July 10 interview with eWeek, Hubbard said his company was finding thousands of hacker forums, newsgroups and mailing list archives hosting malware executables.

"While we do not believe that the fact that Google is indexing binary file contents is a large threat, this is further evidence of a rise in Web sites being used as a method of storing and distributing malicious code," Websense said in a research note announcing the experiment.

"If you know what to search for within binaries, it could be a really good research tool," Hubbard added at the time.

In Moores malware search engine, a query for the virulent Bagle worm returned 20 results, most from list archives hosting what appear to be screen saver files.

The engine, which uses fonts, colors and a logo that resemble Googles, will also provide results for simple keywords such as "email," "trojan" or "keylogger."

Moore said he does not plan to spend too much time on the project unless Google starts indexing more malware samples. He has released the code for a malware signature generator, a malware Google API signature search and a malware downloader and expects others to build on his work, he said.

Websenses Hubbard said he was surprised by Moores claim that the company was not sharing its information. "As per our original statements we have shared this information with hundreds of researchers around the world and have posted it into several mailing lists. We have also received gratitude from several researchers for creating a useful tool to assist in the war against malicious code," Hubbard said in an e-mail exchange July 17.