By Ryan Naraine
July 17, 2006
H.D. Moore, creator of the Metasploit hacking tool and the security
researcher behind the MoBB (Month of Browser Bugs) project, has released a
search engine that finds live malware samples through Google queries.
The new Malware Search engine provides a Web interface that allows anyone
to enter the name of a known virus or Trojan and find Google results for
Web sites hosting malicious executables.
The release of the search engine was motivated in part by a recent
announcement by Websense Security Labs, of San Diego-based Websense, that
it was using the freely available Google SOAP (Simple Object Access
Protocol) Search API to find dangerous .exe files sitting on Web servers.
In an interview with eWEEK, Moore said he worked with researchers at the
Offensive Computing project to create the code after learning that
Websense was only sharing its research on private security mailing lists.
"My Web interface will identify specific malware without the Google API.
It directly searches Google using fingerprints from executables that we
already have," he said.
Moore's project uses code strings, or fingerprints in malware samples,
then runs a search on Google for those characteristics.
The search engine has been programmed with about 300 malware signatures
and Moore said he plans to add another 6,000 signatures in a future bug
Moore, who works as director of security research at BreakingPoint
Systems, based in Austin, Texas, said he was surprised to find that the
number of executables indexed by Google was much less than the figures
thrown out by Websense.
"I managed to get a copy of the Websense code this morning and the code
itself is useless. There are no signatures. There's no way to identify
malware using their tool unless you know what the malware is," Moore said.
He said Websense's claim that it was finding malicious code executables on
thousands of Web sites could not be verified. "We're actually looking for
known executables and we're not finding anything close to those numbers.
The reality is that Google doesn't index that much malware. Not even
close," Moore said.
In a July 10 interview with eWEEK, Dan Hubbard, senior director of
security and technology research at Websense, said his company was finding
thousands of hacker forums, newsgroups and mailing list archives hosting
malware executables. "While we do not believe that the fact that Google is
indexing binary file contents is a large threat, this is further evidence
of a rise in Web sites being used as a method of storing and distributing
malicious code," Hubbard said.
In Moore's malware search engine, a query for the virulent Bagle worm
returned 20 results, most from list archives hosting what appear to be
The engine, which uses fonts, colors and a logo that resembles Google's,
will also provide results for simple keywords like "email," "trojan" or
Moore said he does not plan to spend too much time on the project unless
Google starts indexing more malware samples. He has released the code for
a malware signature generator, a malware Google API signature search and a
malware downloader, and expects others to build on his work, he said.
Websense's Hubbard said he was surprised by Moore's claim that the company
was not sharing its information. "As per our original statements we have
shared this information with hundreds of researchers around the world and
have posted it into several mailing lists. We have also received gratitude
from several researchers for creating a useful tool to assist in the war
against malicious code," Hubbard said in an e-mail exchange July 17.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.