[ISN] Websense using Google's binary search to dig up malware

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:06:04 PDT


By Robert McMillan
IDG News Service
July 10, 2006

A little-known capability in Google Inc.'s search engine has helped 
security vendor Websense Inc. uncover thousands of malicious Web sites, as 
well as several legitimate sites that have been hacked.

By taking advantage of Google's binary search capability, Websense created 
new software tools that sniff out malware using the popular search engine, 
Dan Hubbard, senior director of security and research at Websense, said 
Friday. Websense researchers Googled for strings that were used in known 
malware like the Bagle and Mytob worms and have uncovered about 2,000 
malicious Web sites over the past month.

Though Google is widely used to search the Internet for Web pages and 
office documents, its search engine can also peek through the binary 
information stored in the normally unreadable executable (.exe) files that 
run on Windows-based computers. "They actually look inside the internals 
of an executable and index that information," Hubbard said.

Hubbard and his team plan to share their Google code with a select group 
of security researchers but will not make the tools public, for fear that 
they could be misused. Virus authors, for example, could use the Websense 
software to search for worms and viruses to use in their attacks, Hubbard 
said. "Instead of buying them on the black market, [an attacker] could 
search for them and download them on his own," he added.

Some bloggers have pointed out that hackers might also be able to 
manipulate the binary search feature to trick Google users into 
downloading malicious software.

Hackers could add common search terms into their malicious code in order 
to be included in search results, for example, and then show up alongside 
legitimate Web sites. Google has seen that happen "on occasion" and is 
making an effort to shield users from malicious software, a Google 
spokeswoman said.

Such an attack wouldn't work unless users clicked on the standard Windows 
prompt indicating that they wanted the executable code to run on their 

And that's something most Web surfers are smart enough to avoid, according 
to Johnny Long, a security researcher at Computer Sciences Corp. "I think 
the 'tricking your browser into running an executable file' trick is a 
little old," said Long, who wrote the book Google Hacking for Penetration 
Testers [1]. "There are other, more elegant attacks to worry about."

The most interesting thing about Google's binary search capability is not 
its security implications, Long said, but the fact that it shows that 
Google may be thinking about becoming a file searching service. "There is 
this whole wealth of files out there that Google's not touching," he said. 
"This indicates that they're spreading out into more avenues and that 
they're probably going to be crawling more content than what they're 
looking at now."

Copyright 2006 International Data Group. All rights reserved.

[1] http://www.amazon.com/exec/obidos/ASIN/1931836361/c4iorg

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:17:03 PDT