By Robert McMillan
IDG News Service
July 10, 2006
A little-known capability in Google Inc.'s search engine has helped
security vendor Websense Inc. uncover thousands of malicious Web sites, as
well as several legitimate sites that have been hacked.
By taking advantage of Google's binary search capability, Websense created
new software tools that sniff out malware using the popular search engine,
Dan Hubbard, senior director of security and research at Websense, said
Friday. Websense researchers Googled for strings that were used in known
malware like the Bagle and Mytob worms and have uncovered about 2,000
malicious Web sites over the past month.
Though Google is widely used to search the Internet for Web pages and
office documents, its search engine can also peek through the binary
information stored in the normally unreadable executable (.exe) files that
run on Windows-based computers. "They actually look inside the internals
of an executable and index that information," Hubbard said.
Hubbard and his team plan to share their Google code with a select group
of security researchers but will not make the tools public, for fear that
they could be misused. Virus authors, for example, could use the Websense
software to search for worms and viruses to use in their attacks, Hubbard
said. "Instead of buying them on the black market, [an attacker] could
search for them and download them on his own," he added.
Some bloggers have pointed out that hackers might also be able to
manipulate the binary search feature to trick Google users into
downloading malicious software.
Hackers could add common search terms into their malicious code in order
to be included in search results, for example, and then show up alongside
legitimate Web sites. Google has seen that happen "on occasion" and is
making an effort to shield users from malicious software, a Google
Such an attack wouldn't work unless users clicked on the standard Windows
prompt indicating that they wanted the executable code to run on their
And that's something most Web surfers are smart enough to avoid, according
to Johnny Long, a security researcher at Computer Sciences Corp. "I think
the 'tricking your browser into running an executable file' trick is a
little old," said Long, who wrote the book Google Hacking for Penetration
Testers . "There are other, more elegant attacks to worry about."
The most interesting thing about Google's binary search capability is not
its security implications, Long said, but the fact that it shows that
Google may be thinking about becoming a file searching service. "There is
this whole wealth of files out there that Google's not touching," he said.
"This indicates that they're spreading out into more avenues and that
they're probably going to be crawling more content than what they're
looking at now."
Copyright 2006 International Data Group. All rights reserved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.