Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Virus Trackers Find Malware With Google

Posted by Zonk on Tue Jul 11, 2006 10:27 AM
from the bug-hunters dept.
Security Businesses Google The Internet IT
Casper the Angry Ghost writes "Malware hunters have figured out a way to use the freely available Google SOAP Search API, as well as WDSL, to find dangerous .exe files sitting on thousands of Web servers around the world. Queries can be written to examine the internals of web-accessible binaries, thus allowing the hunters to identify malicious code from across the internet." From the article: "We're finding literally thousands of sites with malicious code executables. From hacker forums, newsgroups to mailing list archives, they're all full of executables that Google is indexing. About 15 percent of the results came back from legitimate Web sites hijacked by malicious hackers and seeded with executables."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Virus Trackers Find Malware With Google 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • do no evil, rat out evil (Score:5, Interesting)

    by yagu (721525) * <yayagu AT gmail DOT com> on Tuesday July 11 2006, @10:29AM (#15698349) Journal

    This raises Google's "no evil" equity significantly. Any mechanism to sniff out, identify, and hopefully proactively take measure to protect against the evil that is the web and its sinister demographic is a good thing.

    So, Google takes the "do no evil" a step further and calls evil out.

    There is a quote from the article I don't quite understand,

    "While we do not believe that the fact that Google is indexing binary file contents is a large threat, this is further evidence of a rise in Web sites being used as an method of storing and distributing malicious code," Websense said in a research note announcing the experiment.

    Is there some potential badness that Google is indexing binary file content? What might that be?

    • Re:do no evil, rat out evil (Score:5, Interesting)

      by mrxak (727974) on Tuesday July 11 2006, @10:37AM (#15698430)
      It's not really Google that's doing it, it's Websense using a Google tool.

      In any case, the only thing I can figure about the quote is that Google indexing these sites helps to spread the malware around. Somebody could type in "l337 hax0rs hax" and end up at a malware site.

    • Re:do no evil, rat out evil (Score:2, Insightful)

      by Anonymous Coward
      I think you're getting a little ahead of yourself in giving Google credit for this. It's not like creating an interface for malware hunting was intentional on their part...

    • Re:do no evil, rat out evil (Score:5, Insightful)

      by jc42 (318812) on Tuesday July 11 2006, @11:10AM (#15698730) Homepage Journal
      Is there some potential badness that Google is indexing binary file content? What might that be?

      The computer industry does have a nasty history of "shooting the messenger" when malware is reported. People really don't want to know that their machine has been compromised, especially if it implies lax security on their part. They routinely react by firing or prosecuting the people who do anything to pinpoint security problems like this. We can expect to read stories of threats against people who use this Google feature to find security problems.

      The obvious explanation here is the old "stupidity rather than malice" saying. But this might not always be true. When someone in authority attempts to punish someone for exposing a security problem, you should probably assume that they understand what they're doing and have a motive for their action. It's likely that some of those with the authority to punish messengers are doing so because they don't want the problems exposed, for reasons of personal (or institutional) profit.

    • The idea is to code the exploit in such a way that Google extracts the exploit itself as the content description in the index. This probably gives 200 bytes or so for the entire exploit (maybe more, I don't have time to try this stunt right now).

      The idea is to put up useful content into the web site, along with the exploit. Google will index, and when the target searches google, the code will be injected into the search results.

      Of course, this needs hacking; both trying to figure out what google will allow in the content section, and to find a browser exploit that can be exploited.

      Just sayin...

      Your point of trust (as the target) is your browser. Which means ONLY open source browsers should be used. Those, at least, are controllable as to the exposure and behaviour when being delivered content.

      Ratboy
      • Interesting until the reared its ugly head.

        Ratboy, you not making sense with this: Your point of trust (as the target) is your browser. Which means ONLY open source browsers should be used. Those, at least, are controllable as to the exposure and behaviour when being delivered content.

        Most users who are 1) not programmers or 2) are programmers but have no familiarity with a particular browser source tree, don't have any more control over how content is handled by the browser with the exception of usi
    • Not sure what you are saying there ... Let's say a researcher uses a microscope to find a very deadly bacteria/virus is the miscroscope company to blame for the find? Google is in the same position. The best thing they can do is to stop indexing sites with such content. But then where do we stop? Who decides what is malicious and what is not? Placing a prominent warning on search results may help google users avoid such sites. But then Google is the loser - it's the same effect as placing gruesome images on

    • Re:do no evil, rat out evil (Score:5, Insightful)

      by pclminion (145572) on Tuesday July 11 2006, @12:02PM (#15699144)

      So, Google takes the "do no evil" a step further and calls evil out.

      Drop the stupid melodrama. Google is a mechanism for searching for strings of bytes inside other strings of bytes, and prioritizing the results according to certain algorithms. "Calling evil out?" You're insane. I suppose the ANSI C function strstr() is also a Wielder Of The Sword Of Righteousness?

      Is there some potential badness that Google is indexing binary file content? What might that be?

      How about the RIAA using it to locate caches of MP3 files? It's plausible that a person might have personal backups of their music collection (or *shock* music they purchased on iTunes) and accidentally have those files on a public web server. (Or they could be pirates -- the point is, the technology is not "good" nor is it "evil").

  • SOAP? (Score:5, Funny)

    by breckinshire (891764) on Tuesday July 11 2006, @10:29AM (#15698359) Homepage
    Google SOAP Search API
    Is there anything that the Snakes on a Plane Search API can't do?

  • Correction (Score:5, Informative)

    by BRSQUIRRL (69271) on Tuesday July 11 2006, @10:30AM (#15698363)
    That's WSDL [wikipedia.org], not WDSL. I felt really stupid for a moment trying to figure out what the heck WDSL was.

  • What Are They Taking About (Score:2, Funny)

    by Anonymous Coward
    What is a *.exe? Never seen that kind of file on any of my three operating systems. Good, one thing less to worry about.
     

  • So wait... (Score:3, Funny)

    by Skynet (37427) on Tuesday July 11 2006, @10:30AM (#15698376) Homepage
    Google is connecting to the whole Internet to fight a global virus infection?

    MY DAY HAS COME!!! MNMUAUAUAU!

    EXECUTE? [Y/N] _

  • Little did you know (Score:4, Funny)

    by neonprimetime (528653) on Tuesday July 11 2006, @10:32AM (#15698383)
    About 15 percent of the results came back from legitimate Web sites hijacked by malicious hackers and seeded with executables

    Little did you know, even /. was hijacked! But the /. masses were not affected because the executables don't run on linux!
  • Is this similar to what SiteAdvisor [slashdot.org] is doing?

  • Web Site Contact (Score:3, Interesting)

    by RetroGeek (206522) on Tuesday July 11 2006, @10:41AM (#15698471) Homepage
    I hope the authors are planning to contact the affected site owners. The article did not mention this.

    They could also build a list of these sites to periodically check them to make sure the malware files have been removed.

    And it would be nice if they allowed a search facility so some FireFox/SeaMonkey plugin could check to see if that site you are going to has malware installed.
    • Given the current state of the law, it is really dangerous to contact a site owner and tell him that his site is insecure. It is quite likely that you will be prosecuted for "unauthorised access" to the site.

      Much better to just add the site to your personal list of things to avoid, and then forget about it.

      • Given the current state of the law, it is really dangerous to contact a site owner and tell him that his site is insecure. It is quite likely that you will be prosecuted for "unauthorised access" to the site. Much better to just add the site to your personal list of things to avoid, and then forget about it.

        Which doesn't help the rest of us. And why should a site owner get all bent out of shape if you tell them something they didn't happen to know? They must not be in direct control of the site or are

    • Re:Web Site Contact (Score:4, Interesting)

      by jafiwam (310805) on Tuesday July 11 2006, @11:53AM (#15699058) Homepage Journal
      Actually, what would be cool is a plugin that can do searches in the background (maybe based on urls linked in a page being currently viewed) and put up an automatic block or popup for the user to know that the link has malware.

      Or maybe a system to allow automatic DNS cache injection (on my own DNS client) to prevent lookups going to the correct (infected) site.

      Once sites realize that big parts of user base is cutting them off premptively, they'll take notice and get rid of the crap so they can get users back.
    • Exactly! I was wondering how to use this tool to scan my own website for bad critters.
  • ... worlds dumbest criminals written all over it.

  • Securing the Search Engine? (Score:5, Interesting)

    by Alamoth (927972) on Tuesday July 11 2006, @10:41AM (#15698479)
    It seems to me that the possibilities for uses of this application of SOAP would be highly beneficial. My initial thought would be the ability to filter your Google searches so that websites that are potentially carrying MalWare are either flagged or not shown at all.

    The 15% of sites that are reputable sites being attacked are the biggest threat. These are probably websites people visit often, and people should be warned. Perhaps even web browsers such as firefox and i.e. could incorporate the API into a toolbar and warn users before a dangerous site loads.

    My only question is how long does it take for the API to verify the potential threat of a webserver? Is it fast enough for these applications to be feasible? No one wants to wait for their websites to load.
    • I think the real question is "How accurate is it?" I mean that in the sense that "false positives" could be the basis of a slander lawsuit, and "false negatives" are even more dangerous than no warning.

      I mean, Joe Average, assuming we get him to eventually worry about malware, might look at the SOAP thing, not see a warning, and assume that means it's a safe site (which may or may not be true). Then he'll get nailed, thinking other precautions are unnecessary.
    • My initial thought would be the ability to filter your Google searches so that websites that are potentially carrying MalWare are either flagged or not shown at all.
      I thought of that, too. But then it occurred to me that the legal folks at Google would probably see it as nothing more than a lawsuit waiting to happen.

  • How to (Score:5, Interesting)

    by mailspam (988188) on Tuesday July 11 2006, @10:46AM (#15698525)
    Search on google for something like signature:00004550 inurl:exe
    Then, click View HTML
    • Sure, that'll get you Windows .exe files, but most of the ones I see with that query are common downloads like Cygwin's setup.exe or the Perl installer or FileZilla's installer. What other sorts of keywords would you add?
    • Which gets you all Portable Executable files. How do you search for particular executables, for example to search for known malware? (Known malware that isn't polymorphic or in a packer, but virus scanners have the same problem).
      • Well, a lot of current malware is binary (mostly) identical in most of its variants. There are (sadly or luckily) few of the "old school" virus writers around anymore that take their time to carefully craft polys, so you have a decent chance that if you have a sample, you get an idea of its spread.

    • Re:How to (Score:2, Informative)

      by MrVictor (872700)
      Google can also filter results by file extension. eg: filetype:exe
  • Though it may be obvious to most, if you execute the Google search, don't just start clicking on the returned links, because the links point to virus-infected files. Our Trend Micro Office Scan immediately caught several viruses after clicking on several links...

  • Well, malware *writers* can do the same (Score:3, Interesting)

    by iamacat (583406) on Tuesday July 11 2006, @10:50AM (#15698567)
    Sniff everyone's servers for vulnerable binaries and do targeted attacks instead of random IP scans.
  • Why would anybody have .EXE files on their webservers? .EXE's don't run on Unix.
    • Why would anybody have .EXE files on their webservers? .EXE's don't run on Unix.

      Um, so that Windows users can download them, maybe?

      Just a guess ...

  • Hmmmm.... (Score:3, Funny)

    by cdr_data (916869) on Tuesday July 11 2006, @11:27AM (#15698878)
    Does it include NTKERNEL32.DLL in the list?

    Cdr. Data
  • "exe files"? How they will affect Linux? I heard lots of about "Linux viruses" or "Linux malware", when I will be happy to see them instead just reading about them? What kind of serious people use Windows anyway?
    • No. Two problems with that: One, that type would not return as a binary executable (aka download and run), it'd return HTML or the like. Two, they're looking for malicious programs (or, more likely, using Google to search for the actual malicious code in them.) If they were looking for all executables then they'd have to sift through every file on shareware sites, SourceForge, etc.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.