Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, July 18, 2006

Researcher Takes Google Malware Search Public

A security researcher has posted a search tool that lets anyone sniff out malware using Google, a technique first discussed by California security vendor Websense.  HD Moore, the lead developer for the Metasploit Framework open-source exploit project, created a tool and posted code that shows how to use Google to look for specific data strings—which Moore dubbed “fingerprints”—within code already defined as malicious.

He worked with others, including researchers at the Offensive Computing project—who gave him access to their malware database—to create the code, which includes a malware signature generator, a malware Google API signature search application, and a malware downloader.

Last week, San Diego-based Websense noted that Google indexes binary files, in particular some Windows executables, and in general terms described how it created a toolset that used the search engine’s API to automate detection of malware and malicious code-infected sites on the Internet.

In a July 10 interview, Dan Hubbard, Websense’s senior director of security, said the company would share the search tools only with a select group of researchers.  “Rather than looking for strings within Bagle or MyDoom, look for the evidence of packers in executables.”

Moore and Hubbard also disagreed on the danger of publicly releasing a Google-based malware search tool, with the latter holding to Websense’s earlier position of keeping its findings within the security community by distributing them only on private mailing lists.

Posted on 07/18