Mining for malcode with Google.


There have been a few blogs from outside parties on the subject of Google's search engine indexing not only file types such as PDF and doc, but executable files as well. A Google query for "Signature: 00004550” will result in numerous links to executable files. The reason this search works is because when Google indexes the executable file, it parses the PE file format of the windows executable. One of the things that is extracted from the PE file is the signature "4550", the NT signature, present in all valid win32 PE files.

As an experiment, we searched Google with Google's own API to find malicious executables Google’s search engine had indexed. We queried not only for the NT signature, but also for unique identifiers within the PE file format that would allude that the file was potentially malicious.

Our results show that we were able to collect thousands of pieces of malicious binaries, mostly posted to newsgroups with false names that would normally trick a user, we found many on forum sites, as well as regular personal, educational, compromised, and underground sites. We also found several pieces of spyware on poker and casino sites. We found variants of the Bagel, and Mytob worms, various trojans, and many other malicious binaries. Websense Security Labs - Blog

Linked by shanmuga Monday, 10th July 2006 1:40AM