Virus Trackers Find Malware With Google

Casper the Angry Ghost writes "Malware hunters have figured out a way to use the freely available Google SOAP Search API, as well as WDSL, to find dangerous .exe files sitting on thousands of Web servers around the world. Queries can be written to examine the internals of web-accessible binaries, thus allowing the hunters to identify malicious code from across the internet." From the article: "We're finding literally thousands of sites with malicious code executables. From hacker forums, newsgroups to mailing list archives, they're all full of executables that Google is indexing. About 15 percent of the results came back from legitimate Web sites hijacked by malicious hackers and seeded with executables."

Correction

[BRSQUIRRL]

That's WSDL, not WDSL. I felt really stupid for a moment trying to figure out what the heck WDSL was.

Re:But legit sites have URLs with exe?

[AndrewNeo]

No. Two problems with that: One, that type would not return as a binary executable (aka download and run), it'd return HTML or the like. Two, they're looking for malicious programs (or, more likely, using Google to search for the actual malicious code in them.) If they were looking for all executables then they'd have to sift through every file on shareware sites, SourceForge, etc.

Re:How to

[MrVictor]

Google can also filter results by file extension. eg: filetype:exe

Re:How to

[Opportunist]

Well, a lot of current malware is binary (mostly) identical in most of its variants. There are (sadly or luckily) few of the "old school" virus writers around anymore that take their time to carefully craft polys, so you have a decent chance that if you have a sample, you get an idea of its spread.

Re:So...

[mozkill]

the new firefox 2.0 beta will query the Google blacklist... its built into the browser and you can enable it by just checking a checkbox in the browser settings...