Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Trackers Find Malware With Google

Posted by ryuzaki0 on from the bug-hunters dept.

Casper the Angry Ghost writes "Malware hunters have figured out a way to use the freely available Google SOAP Search API, as well as WDSL, to find dangerous .exe files sitting on thousands of Web servers around the world. Queries can be written to examine the internals of web-accessible binaries, thus allowing the hunters to identify malicious code from across the internet." From the article: "We're finding literally thousands of sites with malicious code executables. From hacker forums, newsgroups to mailing list archives, they're all full of executables that Google is indexing. About 15 percent of the results came back from legitimate Web sites hijacked by malicious hackers and seeded with executables."

11 of 113 comments (clear)

  1. do no evil, rat out evil by yagu · · Score: 5, Interesting

    This raises Google's "no evil" equity significantly. Any mechanism to sniff out, identify, and hopefully proactively take measure to protect against the evil that is the web and its sinister demographic is a good thing.

    So, Google takes the "do no evil" a step further and calls evil out.

    There is a quote from the article I don't quite understand,

    "While we do not believe that the fact that Google is indexing binary file contents is a large threat, this is further evidence of a rise in Web sites being used as an method of storing and distributing malicious code," Websense said in a research note announcing the experiment.

    Is there some potential badness that Google is indexing binary file content? What might that be?

    1. Re:do no evil, rat out evil by mrxak · · Score: 5, Interesting

      It's not really Google that's doing it, it's Websense using a Google tool.

      In any case, the only thing I can figure about the quote is that Google indexing these sites helps to spread the malware around. Somebody could type in "l337 hax0rs hax" and end up at a malware site.

      --
      -mrxak
      Onions Will Kill You
    2. Re:do no evil, rat out evil by jc42 · · Score: 4, Insightful

      Is there some potential badness that Google is indexing binary file content? What might that be?

      The computer industry does have a nasty history of "shooting the messenger" when malware is reported. People really don't want to know that their machine has been compromised, especially if it implies lax security on their part. They routinely react by firing or prosecuting the people who do anything to pinpoint security problems like this. We can expect to read stories of threats against people who use this Google feature to find security problems.

      The obvious explanation here is the old "stupidity rather than malice" saying. But this might not always be true. When someone in authority attempts to punish someone for exposing a security problem, you should probably assume that they understand what they're doing and have a motive for their action. It's likely that some of those with the authority to punish messengers are doing so because they don't want the problems exposed, for reasons of personal (or institutional) profit.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    3. Re:do no evil, rat out evil by pclminion · · Score: 4, Insightful

      So, Google takes the "do no evil" a step further and calls evil out.

      Drop the stupid melodrama. Google is a mechanism for searching for strings of bytes inside other strings of bytes, and prioritizing the results according to certain algorithms. "Calling evil out?" You're insane. I suppose the ANSI C function strstr() is also a Wielder Of The Sword Of Righteousness?

      Is there some potential badness that Google is indexing binary file content? What might that be?

      How about the RIAA using it to locate caches of MP3 files? It's plausible that a person might have personal backups of their music collection (or *shock* music they purchased on iTunes) and accidentally have those files on a public web server. (Or they could be pirates -- the point is, the technology is not "good" nor is it "evil").

  2. SOAP? by breckinshire · · Score: 5, Funny
    Google SOAP Search API
    Is there anything that the Snakes on a Plane Search API can't do?
  3. Correction by BRSQUIRRL · · Score: 4, Informative

    That's WSDL, not WDSL. I felt really stupid for a moment trying to figure out what the heck WDSL was.

  4. Securing the Search Engine? by Alamoth · · Score: 5, Interesting

    It seems to me that the possibilities for uses of this application of SOAP would be highly beneficial. My initial thought would be the ability to filter your Google searches so that websites that are potentially carrying MalWare are either flagged or not shown at all.

    The 15% of sites that are reputable sites being attacked are the biggest threat. These are probably websites people visit often, and people should be warned. Perhaps even web browsers such as firefox and i.e. could incorporate the API into a toolbar and warn users before a dangerous site loads.

    My only question is how long does it take for the API to verify the potential threat of a webserver? Is it fast enough for these applications to be feasible? No one wants to wait for their websites to load.

  5. How to by mailspam · · Score: 5, Interesting

    Search on google for something like signature:00004550 inurl:exe
    Then, click View HTML

  6. Just be careful when clicking the search links... by jbarr · · Score: 4, Funny

    Though it may be obvious to most, if you execute the Google search, don't just start clicking on the returned links, because the links point to virus-infected files. Our Trend Micro Office Scan immediately caught several viruses after clicking on several links...

    --
    My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
  7. Re:Little did you know by yourOneManArmy · · Score: 5, Funny

    Actually, the real reason it was ineffective was because they put the executables in an article link.

  8. Indexing these MAY be exploitable by ratboy666 · · Score: 5, Interesting

    The idea is to code the exploit in such a way that Google extracts the exploit itself as the content description in the index. This probably gives 200 bytes or so for the entire exploit (maybe more, I don't have time to try this stunt right now).

    The idea is to put up useful content into the web site, along with the exploit. Google will index, and when the target searches google, the code will be injected into the search results.

    Of course, this needs hacking; both trying to figure out what google will allow in the content section, and to find a browser exploit that can be exploited.

    Just sayin...

    Your point of trust (as the target) is your browser. Which means ONLY open source browsers should be used. Those, at least, are controllable as to the exposure and behaviour when being delivered content.

    Ratboy

    --
    Just another "Cubible(sic) Joe" 2 17 3061